Trojanized versions of PyPI Python packages
released on 2019-12-03 @ 08:53:15 PM
python3-dateutil on PyPI contains additional imports of the jeIlyfish package (itself a fake version of the jellyfish package, that first L is an I). The additional code exfiltrates SSH and GPG keys and a dump of different directories on the affected system.