Malicious Python Package on PyPI Steals AWS Credentials
Cybersecurity researchers have identified a malicious package on the Python Package Index (PyPI) that has been quietly exfiltrating Amazon Web Services (AWS) credentials from unsuspecting developers for over three years. The package, named “fabrice,” exploits a common typo of the highly regarded “fabric” library, a tool used for executing shell commands remotely over SSH.
While the legitimate “fabric” package has amassed over 202 million downloads, the rogue “fabrice” has been downloaded more than 37,000 times since its release in March 2021. Despite its malicious nature, “fabrice” remains available for download on PyPI at the time of this report. Such events raise significant concerns about the security practices of software developers, particularly those relying on external libraries.
The “fabrice” package has been crafted to breach the trust associated with its legitimate counterpart, embedding harmful payloads designed to steal credentials, create backdoors, and execute scripts tailored for specific operating systems. Research from the security firm Socket highlighted that the executable actions of “fabrice” are contingent upon the OS it operates on. For instance, on Linux systems, it downloads and initiates shell scripts from an external server, while Windows machines face a dual-pronged attack that employs both Visual Basic and Python scripts.
On Windows, one payload launches a hidden Python script that downloads a malicious executable disguised as “chrome.exe,” subsequently establishing persistence by scheduling the binary to execute every 15 minutes. This method of operation clearly reflects the MITRE ATT&CK tactics of initial access and persistence, targeting developer systems without immediate detection.
The overarching goal of “fabrice” appears to be the systematic theft of AWS credentials, utilizing the Boto3 SDK for Python to gather sensitive access and secret keys. The researchers warn that such a breach would grant attackers unauthorized access to potentially invaluable cloud resources, thereby posing significant risks to organizations whose developers may fall victim to this disguised threat.
The malicious activities facilitated by “fabrice” underscore the critical need for developers to maintain vigilance regarding software supply chain security. Careful validation of source code and names of installed packages can mitigate risks associated with such typosquatting attacks, which exploit developers’ trust in widely used libraries.
An update regarding this incident noted that the “fabrice” package has since been removed from the PyPI repository. In light of this situation, AWS has urged customers who utilize the legitimate “fabric” library for SSH interactions to audit their environments to ensure they have not inadvertently adopted this malware. If any suspicious activity is detected, AWS recommends following their guidelines for remediating potentially compromised credentials and reaching out for support as necessary.
This incident illustrates the evolving landscape of cybersecurity risks and the continuous need for heightened awareness among developers. As the threat landscape grows ever more sophisticated, proper safeguards and proactive measures must remain a priority to protect sensitive data and infrastructures from increasingly clever adversaries.
