Add Story Time on Typosquatting

david-a-wheeler · david-a-wheeler · commit b689cdc70f4d · 2022-11-17T17:33:52.000-05:00
Signed-off-by: David A. Wheeler &lt;dwheeler@dwheeler.com&gt;
diff --git a/secure_software_development_fundamentals.md b/secure_software_development_fundamentals.md
@@ -1198,6 +1198,10 @@ Most of these questions also apply to closed source software that is reused.
 
 Most software depends on other software, which in turn often depends on other software with many tiers. A software bill of materials (SBOM) is a nested inventory that identifies the software components that make up a larger piece of software. Many ecosystems have ecosystem-specific SBOM formats. There are also some SBOM formats that support arbitrary ecosystems: [Software Package Data Exchange (SPDX)](https://spdx.dev/), [Software ID (SWID)](https://csrc.nist.gov/Projects/Software-Identification-SWID/), and [CycloneDX](https://github.com/CycloneDX/specification). When an SBOM is available for a component you are thinking about using, it’s often easier to use that data to help answer some of the questions listed above. It’s also good to provide an SBOM to potential users of your software, for the same reasons.
 
+> 😱 STORY TIME: Typosquatting by jeIlyfish and python3-dateutil
+
+> On 2019-12-01 German software developer Lukas Martini discovered that two Python libraries on the popular PyPI (Python Package Index) were typosquatting attacks. These malicious packages would steal SSH and GPG private keys from developers who used them.  The malicious package `jeIlyfish` (note that the first `L` is really an `I`), which imitated the `jellyfish` library, did the damage. The same attacker also uploaded a malicious package named `python3-dateutil` which imitated the popular `dateutil` library. The malicious package `python3-dateutil` didn't include any malicious code itself, but instead loaded in the malicious package `jeIlyfish` as a dependency.  The malicious package `python3-dateutil` had only been on PyPI for two days, but the malicious package `jeIlyfish` had been available for nearly a year.  Both libraries were removed by PyPI on the day PyPI was notified. (["Two malicious Python libraries caught stealing SSH and GPG keys" by Catalin Cimpanu, ZDNet, 2019](https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/))
+
 #### Quiz 3.1: Selecting (Evaluating) Open Source Software
 
 \>\>What is evidence that the software you are thinking of reusing will probably be a good choice for security? Select all answers that apply.<<
@@ -5924,6 +5928,8 @@ Chen, Raymond, *Undefined behavior can result in time travel (among other things
 
 Cimpanu, Catalin, *Microsoft: 70 percent of all security bugs are memory safe issues*, 2019-02-11 ([https://www.zdnet.com/article/microsoft-70-percent-of-all-security-bugs-are-memory-safety-issues/](https://www.zdnet.com/article/microsoft-70-percent-of-all-security-bugs-are-memory-safety-issues/))
 
+Cimpanu, Catalin, "Two malicious Python libraries caught stealing SSH and GPG keys", ZDNet, 2019-12-03, <https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi>
+
 CISCO, *Next Generation Cryptography* ([https://tools.cisco.com/security/center/resources/next_generation_cryptography](https://tools.cisco.com/security/center/resources/next_generation_cryptography))
 
 Coggeshall, John, *Updating the Git protocol for SHA-256*, 2020 ([https://lwn.net/Articles/823352/](https://lwn.net/Articles/823352/))
