Malicious Python Package Exfiltrates AWS Credentials
Developers' Credentials Stolen via Typosquatted ‘Fabric’ LibraryA malicious Python package that mimics a popular SSH automation library has been live on PyPi since 2021 and delivers payloads that steal credentials and create backdoors.
See Also: Beyond MFA: The Trick to Securing Machine Identities
Application security company Socket said said that operators behind the malicious fabrice
package - a misspelling of the legitimate fabric
library - appear intent on stealing AWS credentials from developers.
Once installed, the malicious package steals AWS access and secret keys, sending them to a remote server operated through a VPN in Paris, masking the attacker's true identity and location, researchers said.
PyPI, a widely used repository for Python libraries, has frequently been targeted by malicious actors. A North Korean hacking group with a history of stealing cryptocurrency poisoned Python packages in September, targeting developers working on the Linux and macOS operating systems in an apparent attempt at a supply chain attack (see: North Korea Targets Software Supply Chain Via PyPI).
According to Socket, fabrice
operates by executing platform-specific scripts that vary between Linux and Windows environments.
On Linux systems, it creates hidden directories within user folders, downloads external scripts and obfuscates URLs to conceal its malicious intent.
The linuxThread
function within the package downloads and executes these scripts, storing them in hidden directories such as ~/.local/bin/vscode
, which are challenging to detect. Through encoded payloads, these scripts access and exfiltrate sensitive credentials, including AWS keys, without the user's knowledge.
The winThread
function, deployed on Windows systems, leverages base64-encoded payloads to ensure persistence. It decodes specific variables to run scripts in the background and creates scheduled tasks that automatically execute malware every 15 minutes, ensuring ongoing access to the compromised system.
Once the scripts initiate, they download a secondary payload disguised as chrome.exe
into the user's downloads folder, enabling the attacker to maintain control over the machine.
Socket informed PyPI of the malicious package to initiate its removal, but it remains available as of the latest report. Socket urged developers to verify libraries before installation and consider using security tools to flag potentially malicious packages.