A backdoor was discovered in the Python module named SSH Decorator (ssh-decorate), that was developed by Israeli developer Uri Goren.
Are you using the Python module ‘SSH Decorator’? You need to check the version number, because newer versions include a backdoor.
The library was developed to handle SSH connections from Python code.
Early this week, a developer noticed that multiple backdoored versions of the SSH Decorate module, the malicious code included in the library allowed to collect users’ SSH credentials and sent the data to a remote server controlled by the attackers.
The remote server that received stolen data is accessible at the following address:
http://ssh-decorate.cf/index.php
The following images were shared bleepingcomputer.com that first reported the news.
The Israeli developer Uri Goren, once notified to the problem, confirmed that backdoor was added by attackers.
Initially, the developer has updated the password for the PyPI Python central repo hub and published a sanitized version of the package.
“I have updated my PyPI password, and reposted the package under a new name ssh-decorator,” he said.
“I have also updated the readme of the repository, to make sure my users are also aware of this incident.”
“It has been brought to our attention, that previous versions of this module had been hijacked and uploaded to PyPi unlawfully. Make sure you look at the code of this package (or any other package that asks for your credentials) prior to using it.” reads the README file.
The presence of the backdoor in the SSH Decorator module alerted many users on Reddit, many of them accused Goren that for this reason decided to take down the package from both GitHub and PyPI — the Python central repo hub.
Developers that use the SH Decorator (ssh-decorate) module need to use the last safe version was 0.27, later version 0.28 through 0.31 were compromised.
To read the original article:
https://securityaffairs.co/wordpress/72298/malware/ssh-decorator-backdoor.html