<div dir="ltr"><i>"The first is "python3-dateutil," which imitated the popular "dateutil" library. The second is "jeIlyfish" (the first L is an I), which mimicked the "jellyfish" library."<br></i><br><div>If you read that carefully, it says these 2 libraries imitated the real libraries. It does not say that the original libraries were compromised.<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jan 23, 2020 at 7:50 PM Chihurumnaya Ibiam <<a href="mailto:ibiamchihurumnaya@gmail.com">ibiamchihurumnaya@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">Dateutil has been found to contain malicious code, a github search shows 10+ uses of dateutil in Sugar Labs repos.<div dir="auto"><br></div><div dir="auto">You can read more about it here</div><div dir="auto"><a href="https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/" target="_blank">https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/</a><br></div></div>
_______________________________________________<br>
Sugar-devel mailing list<br>
<a href="mailto:Sugar-devel@lists.sugarlabs.org" target="_blank">Sugar-devel@lists.sugarlabs.org</a><br>
<a href="http://lists.sugarlabs.org/listinfo/sugar-devel" rel="noreferrer" target="_blank">http://lists.sugarlabs.org/listinfo/sugar-devel</a><br>
</blockquote></div>