Malicious Python libraries stealing OpenPGP and SSH keys:
– Look for python3-dateutil, and jeIlyfish.
– Both modules try to exfiltrate SSH/OpenPGP keys and send them to an IP address.
– This is the third time the PyPI team intervenes to remove typo-squatted malicious Python libraries from the official repository.
@infosechandbook Aaand that's why I love to have trusted package maintainers (aka the distribution model) different from the developers.
@infosechandbook Interesting. Would that exfiltration be possible if your keys are stored solely on a Yubikey?
No. That’s the point of smartcards that you can’t extract the private key.
But if someone has access to your machine they could use that to sign some stuff (e.g. packages or commits) unless you’ve got touch-to-use enabled: https://developers.yubico.com/PGP/Card_edit.html#_yubikey_4_touch
chaos.social – a Fediverse instance for & by the Chaos community