ssh-decorate PyPI releases stole SSH credentials

ssh-decorate was a small Python library for wrapping Paramiko-style SSH connection code. In May 2018, a developer noticed that recent PyPI releases did more than help with SSH. The package collected the credentials it was handed and posted them to http://ssh-decorate.cf/index.php.

The backdoor was not subtle, but it was well placed. A package that decorates SSH calls naturally sees hostnames, usernames, passwords, and key material as part of normal use. That made the malicious code easy to miss in a quick review and dangerous in any automation script that reused real administrative credentials.

Public reporting identified 0.27 as the last safe release and 0.28 through 0.31 as malicious. After the issue surfaced on Reddit and in security reporting, maintainer Uri Goren said the PyPI package had been hijacked, changed his PyPI password, and briefly republished the library under ssh-decorator. The package was then removed from both GitHub and PyPI.

The incident is a useful early PyPI credential-theft case because it was neither a typosquat nor a large dependency-chain compromise. The attacker, or whoever controlled the upload channel, used the real project name and shipped hostile release artifacts through the normal registry path.

Motive

Credential Theft

Cause

Package Registry Account Compromise

Transitive

No

• Backdoored Python Library Caught Stealing SSH Credentialsbleepingcomputer.com
• Are you using Python module 'SSH Decorator'? Newer versions include a backdoorsecurityaffairs.com
• Backdoor in ssh-decorator packagereddit.com
• Researchers Found Backdoor in Python Library That Steal SSH Credentialssecuritynewspaper.com
• ssh-decorate Safety DBdata.safetycli.com