Malicious Python package collects AWS credentials via 37,000 downloads

A malicious Python package called "Fabrice" that’s been live on PyPI since 2021 has been typosquatting the popular Fabric SSH automation library, quietly exfiltrating AWS credentials by making more than 37,000 downloads.

The Socket Research Team said in a Nov. 6 post that the legitimate Fabric library has more than 201 million downloads and has earned the trust of developers worldwide. Fabric operates as a high-level Python (2.7, 3.4+) library that executes shell commands remotely over SSH, yielding useful Python objects in return. 

According to the Socket Research Team, Fabrice was designed to exploit this trust: it contains payloads that steal credentials, create backdoors, and execute platform-specific scripts. 

“The Fabrice package represents a sophisticated typosquatting attack, crafted to…exploit unsuspecting developers by gaining unauthorized access to sensitive credentials on both Linux and Windows systems,” wrote the researchers. “Through obfuscated URLs, encoded payloads, and a VPN-based proxy server for covert data exfiltration, this attack underscores the critical importance of using tools that will alert you to this behavior before it lands in your codebase.

The long-term nature of the Fabrice package, which remained active on PyPI for over three years, reflects a calculated, strategic patience often associated with advanced, resourceful threat actors, explained Callie Guenther, senior manager of cyber threat research at Critical Start.

Leave a Comment