Malicious Python libraries stealing OpenPGP and SSH keys:

zdnet.com/article/two-maliciou

– Look for python3-dateutil, and jeIlyfish.
– Both modules try to exfiltrate SSH/OpenPGP keys and send them to an IP address.
– This is the third time the PyPI team intervenes to remove typo-squatted malicious Python libraries from the official repository.

#python #malware #pypi #infosec #security #cybersecurity

@infosechandbook Interesting. Would that exfiltration be possible if your keys are stored solely on a Yubikey?

No. That’s the point of smartcards that you can’t extract the private key.

But if someone has access to your machine they could use that to sign some stuff (e.g. packages or commits) unless you’ve got touch-to-use enabled: https://developers.yubico.com/PGP/Card_edit.html#_yubikey_4_touch

Sign in to participate in the conversation
Mastodon.ART

Mastodon.ART — Your friendly creative home on the Fediverse! Interact with friends and discover new ones, all on a platform that is community-owned and ad-free. Admin: @Curator. Moderators: @EmergencyBattle, @ScribbleAddict, @TapiocaPearl, @Otherbuttons, @katwylder