Skip to main content
banner image
venafi logo

Are Cyber Criminals Targeting Your SSH Keys? [in Python Libraries]

Are Cyber Criminals Targeting Your SSH Keys? [in Python Libraries]

ssh keys and cybercriminals
December 5, 2019 | Scott Carter

We’ve known for a long time

that SSH keys are valuable to cyber criminals—for many of the same reasons that they are valuable to us. They provide authenticated access to the secure systems we need to get into. Good when we do it. Bad when people we don’t know do it. But despite the high value of SSH keys, protecting them often becomes more of an afterthought for many organizations. So when cyber criminals gain an entry point into our networks, it may be easier than you think for them to find and misuse them to pivot from machine to machine.

Just this last week, we learned that two malicious Python libraries were stealing SSH and GPG keys. Discovered on December 1 by German software developer Lukas Martini, the two malicious clone libraries were created by the same developer. They were immediately removed after dateutil developers and the PyPI security team were notified. One library had been available for only two days, but the other had been live for almost a year.



ZDNet reported that the trojanized Python libraries used a technique called typosquatting to mimic other more popular libraries by registering similarly-looking names. “The first is ‘python3-dateutil,’ which imitated the popular ‘dateutil’ library. The second is ‘jeIlyfish’ (the first L is an I), which mimicked the ‘jellyfish’ library.”


A screenshot of a cell phone

Description automatically generated

Image: ZDNet

Examining the Impact

Because the malicious libraries deleted so quickly, it was initially difficult to determine what, exactly was their criminal intent. To learn more about the impact, ZDNet asked a member of the dateutil dev team, Paul Ganssle, to investigate the malicious code. According to Ganssle "The code directly in the ‘jeIlyfish’ library downloads a file called 'hashsum' that looks like nonsense from a gitlab repo, then decodes that into a Python file and executes it." He continued, "It looks like [this file] tries to exfiltrate SSH and GPG keys from a user's computer and send them to this IP address:"

Jing Xie, senior threat intelligence researcher at Venafi, warns that the growing reliance on OSLs for software development leaves many companies vulnerable to trust-based attacks. Unsuspecting developers and site managers can actively introduce malware into their own software and websites when they use a compromised OSL. When the infected code is distributed by a legitimate developer, the resulting malicious software will be automatically trusted by its users’ computers, infecting their computers and networks.

"55% increase in breaches resulting from OSL trust attacks in 2018”

“This is a very real problem, and recent research from Sonatype revealed a 55 percent increase in breaches resulting from OSL trust attacks in 2018,” said Xie. “It’s unrealistic, though, to ask businesses to completely change their practices by limiting the use of OSLs. Instead, the industry needs to work together to make open source code more dependable.”

Since trust-based attacks can infect millions of computers very quickly, it is critical that organizations increase their awareness about the risks associated with OSL security. The Developer hub recommends that, “All developers are advised to check if they’ve accidentally downloaded or imported the malicious libraries rather than the originals. If so, it’s advisable to change all SSH and GPG keys used over the past year.”

Jing Xie explains the dangers of open source libraries, and why the development community is just starting to take notice.




Related posts


Like this blog? We think you will love this.
Featured Blog

Microsoft Backs Off Internet Office Macro Ban [Update]

Microsoft disabled macro years ago by default

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more