Two malicious versions of two Python packages were introduced in the Python Package Index (PyPI) with the purpose of stealing SSH and GPG keys from Python developers' projects.
One of them, using typosquatting to impersonate a legitimate library, resisted for about a year in the repository. The other survived for just a couple of days.
PyPI is a collection of software created and shared by the Python community to help developers in their projects.
Undetected for a year

The fake library that spent the least amount of time in PyPI available under the name 'python3-dateutil,' a clear impersonation of the 'dateutil' package with extensions to the standard Python datetime module.
It did not include dangerous code but contained imports from a package called 'jeIlyfish' (first 'L' is actually an 'I'), a fake version of the 'jellyfish' library "for doing approximate and phonetic matches of strings."
This fake library downloaded from a repo on GitLab obfuscated code that collected SSH and GPG keys along with a list of directories on the compromised system and delivered them to the attacker. Until Sunday, the bad 'jeIlyfish' had been present in PyPI since December 11, 2018.

Both libraries were discovered on December 1 by German developer *Lukas Martini who reported*them to the Python security team. Action to remove them came a few hours later.
The two bad packages discovered in PyPI were added under the same developer name, olgired2017. They worked as the originals, except for the malicious code, so developers using them would not see a difference.
Anyone using 'dateutil' and 'jellyfish' for their projects should check if they imported or downloaded the correct packages.
If the malicious clones were used, they are strongly advised to change the GPG and SSH keys for projects developed since at least December 11, 2018.