Security Operations

Malicious Python Package Exfiltrates AWS Credentials

Developers' Credentials Stolen via Typosquatted ‘Fabric’ Library
Malicious Python Package Exfiltrates AWS Credentials
Image: Shutterstock

A malicious Python package that mimics a popular SSH automation library has been live on PyPi since 2021 and delivers payloads that steal credentials and create backdoors.

See Also: Beyond MFA: The Trick to Securing Machine Identities

Application security company Socket said said that operators behind the malicious fabrice package - a misspelling of the legitimate fabric library - appear intent on stealing AWS credentials from developers.

Once installed, the malicious package steals AWS access and secret keys, sending them to a remote server operated through a VPN in Paris, masking the attacker's true identity and location, researchers said.

PyPI, a widely used repository for Python libraries, has frequently been targeted by malicious actors. A North Korean hacking group with a history of stealing cryptocurrency poisoned Python packages in September, targeting developers working on the Linux and macOS operating systems in an apparent attempt at a supply chain attack (see: North Korea Targets Software Supply Chain Via PyPI).

According to Socket, fabrice operates by executing platform-specific scripts that vary between Linux and Windows environments.

On Linux systems, it creates hidden directories within user folders, downloads external scripts and obfuscates URLs to conceal its malicious intent.

The linuxThread function within the package downloads and executes these scripts, storing them in hidden directories such as ~/.local/bin/vscode, which are challenging to detect. Through encoded payloads, these scripts access and exfiltrate sensitive credentials, including AWS keys, without the user's knowledge.

The winThread function, deployed on Windows systems, leverages base64-encoded payloads to ensure persistence. It decodes specific variables to run scripts in the background and creates scheduled tasks that automatically execute malware every 15 minutes, ensuring ongoing access to the compromised system.

Once the scripts initiate, they download a secondary payload disguised as chrome.exe into the user's downloads folder, enabling the attacker to maintain control over the machine.

Socket informed PyPI of the malicious package to initiate its removal, but it remains available as of the latest report. Socket urged developers to verify libraries before installation and consider using security tools to flag potentially malicious packages.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.