Security News > 2023 > September > SSH keys stolen by stream of malicious PyPI and npm packages
A stream of malicious npm and PyPi packages have been found stealing a wide range of sensitive data from software developers on the platforms.
The campaign started on September 12, 2023, and was first discovered by Sonatype, whose analysts unearthed 14 malicious packages on npm.
Since the start of the campaign, the attackers have uploaded 45 packages on npm and PyPI, with variants in the code indicating a rapid evolution in the attack.
The data stolen by the packages includes sensitive machine and user information.
The stolen information can be used to expose the real identities of developers and give the attackers unauthorized access to systems, servers, or infrastructure accessible through the stolen SSH private keys.
Users of code distribution platforms such as PyPI and npm are advised to be cautious with what packages they download and launch on their systems, as there's a constant influx of malware in those ecosystems.