Beware Python Developers: Malicious ‘fabrice’ Package Steals AWS Credentials from 37,000+ Downloads
In a concerning development for Python developers and cloud administrators, The Socket Research Team has identified a malicious package, fabrice, masquerading as the legitimate and widely used fabric SSH automation library. Since its release on PyPI in 2021, fabrice has silently exfiltrated sensitive AWS credentials, impacting users who unknowingly installed the typosquatted package. With over 37,000 downloads, the fabrice package highlights the persistent risks malware poses in open-source repositories.
The malicious fabrice package employs various techniques to deliver its payload, with different malicious actions tailored for Linux and Windows environments:
- On Linux Systems: The package uses a function called
linuxThread()
to download and execute hidden scripts from an external server. According to the research, “the linuxThread() function creates a hidden directory (~/.local/bin/vscode) where it stores downloaded payloads”, making detection difficult. Additionally, the package connects to a VPN server at IP address 89.44.9.227 to download these malicious scripts, using obfuscation techniques to avoid detection. - On Windows Systems: The Windows version, using the
winThread()
function, relies on base64-encoded payloads stored in variablesvv
andzz
. The research explains that “the vv variable decodes into a VBScript (p.vbs) that runs a hidden Python script (d.py)”, which then downloads further malicious executables. Thezz
script establishes persistence by scheduling tasks to re-execute the malicious code, maintaining the attack’s presence even after system reboots.
The main purpose of fabrice appears to be the theft of AWS credentials. By leveraging the boto3 library, the package extracts AWS access and secret keys from the compromised environment. Once captured, these credentials are transmitted to the VPN endpoint, making it challenging for victims to trace the exfiltrated data. As the report emphasizes, “by collecting AWS keys, the attacker gains access to potentially sensitive cloud resources,” potentially exposing significant data and cloud resources to unauthorized access.
The malware is designed to be platform-agnostic, with a test() function that checks the operating system and executes the appropriate malicious thread. This capability enables the malware to target both Linux and Windows users, increasing the scope of its impact. “This platform-agnostic trigger ensures that the attack proceeds regardless of the operating system, broadening its potential impact,” the report notes.
Typosquatting attacks, where malicious packages are named similarly to trusted libraries, remain a growing risk in open-source software repositories. The legitimate fabric library, created by bitprophet, has over 201 million downloads and is widely trusted by developers. The attackers behind fabrice exploited this trust, resulting in widespread credential theft and backdoor installations across unsuspecting systems.