Developers’ Credentials Compromised Through Typosquatted ‘Fabric’ Library
A deceptive Python package, masquerading as a popular SSH automation library, has been active on the PyPi repository since 2021. This malicious package is designed to distribute payloads that compromise user credentials and create unauthorized access points.
According to application security firm Socket, the perpetrators behind the fraudulent fabrice package—an incorrect spelling of the genuine fabric library—appear to be specifically targeting AWS credentials of developers. Upon installation, this harmful package captures AWS access and secret keys, transmitting this sensitive information to a remote server based in Paris, effectively masking the attackers’ identity and location.
PyPI, a widely utilized repository for Python libraries, has become a frequent target for malicious activities. Notably, a North Korean hacking group known for stealing cryptocurrencies exploited Python packages in September, focusing on developers within the Linux and macOS ecosystems to execute a supply chain attack (see: North Korea Targets Software Supply Chain Via PyPI).
Research indicates that the fabrice package operates differently across platforms like Linux and Windows. On Linux systems, it generates hidden directories within user folders, downloads external scripts, and obfuscates URLs to conceal its true malicious purpose. The linuxThread function within the package actively downloads and executes these scripts covertly, storing them in directories like ~/.local/bin/vscode, which are difficult for users to detect. Through these veiled scripts, the attacker can access and exfiltrate sensitive credentials, including AWS keys, without user awareness.
Conversely, on Windows systems, the winThread function employs base64-encoded payloads to maintain persistence. This function decodes specific variables to run background scripts and establishes scheduled tasks to execute malware every 15 minutes, thereby enabling sustained access to the infected system. Once triggered, these scripts download a secondary payload camouflaged as chrome.exe into the user’s downloads folder, solidifying the attacker’s control over the device.
Socket has notified PyPI about the presence of this malicious package in an effort to have it removed, but it remains accessible as of the latest report. The company has urged developers to thoroughly verify libraries prior to installation and suggested employing security tools to identify potentially harmful packages.
This incident highlights critical aspects of threat behaviors aligned with the MITRE ATT&CK framework, specifically tactics such as initial access, credential access, and persistence. The misuse of typosquatting and malicious payload delivery underscores the pressing need for heightened vigilance among developers and security teams alike, in an era where supply chain vulnerabilities are increasingly exploited.
