Two malicious Python libraries caught stealing SSH and GPG keys (ZDNet)

ZDNet reportsthat two more malicious modules have been removed from the Python PackageIndex. "The two libraries were created by the same developer and mimicked other more popular libraries -- using a technique called typosquatting to register similarly-looking names.The first is 'python3-dateutil,' which imitated the popular 'dateutil'library. The second is 'jeIlyfish' (the first L is an I), which mimickedthe 'jellyfish' library." The latter of the two had been in PyPIfor nearly a year.