The Information Highway

The Information Highway

Font size: +
2 minutes reading time (387 words)

Malicious PyPI Package 'Fabrice' Found Stealing AWS Keys from Thousands of Developers

Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) that has racked up thousands of downloads for over three years while stealthily exfiltrating developers' Amazon Web Services (AWS) credentials.

The package in question is "fabrice," which typosquats a popular Python library known as "fabric," which is designed to execute shell commands remotely over SSH.

While the legitimate package has over 202 million downloads, its malicious counterpart has been downloaded more than 37,100 times to date. As of writing, "fabrice" is still available for download from PyPI. It was first published in March 2021. 

The typosquatting package is designed to exploit the trust associated with "fabric," incorporating "payloads that steal credentials, create backdoors, and execute platform-specific scripts," security firm Socket said.

"Fabrice" is designed to carry out its malicious actions based on the operating system on which it's installed. On Linux machines, it uses a specific function to download, decode, and execute four different shell scripts from an external server ("89.44.9[.]227").

On systems running Windows, two different payloads – a Visual Basic Script ("p.vbs") and a Python script – are extracted and executed, with the former running a hidden Python script ("d.py") stored in the Downloads folder.

"This VBScript functions as a launcher, allowing the Python script to execute commands or initiate further payloads as designed by the attacker," security researchers Dhanesh Dodia, Sambarathi Sai, and Dwijay Chintakunta said.

The other Python script is designed to download a malicious executable from the same remote server, save it as "chrome.exe" in the Downloads folder, set up persistence using scheduled tasks to run the binary every 15 minutes, and finally delete the "d.py" file.

The end goal of the package, regardless of the operating system, appears to be credential theft, gathering AWS access and secret keys using the Boto3 AWS Software Development Kit (SDK) for Python and exfiltrating the information back to the server.

"By collecting AWS keys, the attacker gains access to potentially sensitive cloud resources," the researchers said. "The fabrice package represents a sophisticated typosquatting attack, crafted to impersonate the trusted fabric library and exploit unsuspecting developers by gaining unauthorized access to sensitive credentials on both Linux and Windows systems."

Update

The "fabrice" package is no longer available for download from the PyPI repository.

Canada orders TikTok to shut down over national ri...
HPE warns of critical RCE flaws in Aruba Networkin...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023