Two key stealing libraries were found in the PyPi Python Package Index (archived).  One mimicked the dateutil library by prepending a "python3-" so that suckers could stumble into python3-dateutil. The other, mimicked the jellyfish library but swapped a lowercase L for a capital i. Both were allegedly uploaded by the same user and exfiltrated data to the same destination. This is not the first time PyPi has had to remove malware mimicking popular packages, but they remain open to all comers and continue to exercise little actual control over the namespace they index.