Malicious Python libraries stealing OpenPGP and SSH keys:

– Look for python3-dateutil, and jeIlyfish.
– Both modules try to exfiltrate SSH/OpenPGP keys and send them to an IP address.
– This is the third time the PyPI team intervenes to remove typo-squatted malicious Python libraries from the official repository.

@infosechandbook Aaand that's why I love to have trusted package maintainers (aka the distribution model) different from the developers.

it only works if the distro maintainers know their shit. the "let everything run with the same access rights" model on the desktop and commandline has to stop!

@infosechandbook Interesting. Would that exfiltration be possible if your keys are stored solely on a Yubikey?

No. That’s the point of smartcards that you can’t extract the private key.

But if someone has access to your machine they could use that to sign some stuff (e.g. packages or commits) unless you’ve got touch-to-use enabled:

yubikeys/gnupg smartcard improves the sitch to a form where the key itself can only be used as long as it is plugged in. you can still forward the yubikey socket or decrypt password store.

Sign in to participate in the conversation – a Fediverse instance for & by the Chaos community