November 7, 2024 at 05:04AM
A malicious package named “fabrice” on PyPI has stealthily stolen AWS credentials from developers for over three years, with over 37,100 downloads. It exploits trust in the legitimate library “fabric,” using various payloads to execute attacks on both Linux and Windows systems, facilitating credential theft.
### Meeting Takeaways – Nov 07, 2024
**Subject:** Vulnerability / Cloud Security
1. **Discovery of Malicious Package:**
– Cybersecurity researchers identified a malicious package named **”fabrice”** on the Python Package Index (PyPI).
– It has been available since **March 2021** and has been downloaded **over 37,100 times**.
2. **Relation to Legitimate Package:**
– “Fabrice” typosquats the popular library **”fabric,”** which has a significantly higher download count of **over 202 million**.
3. **Malicious Functionality:**
– The package is designed to **exfiltrate AWS credentials** and execute harmful scripts by taking advantage of the trust placed in the “fabric” library.
– It incorporates payloads that can:
– Steal credentials
– Create backdoors
– Execute specific scripts based on the operating system.
4. **Operating System Specific Behaviors:**
– **On Linux:** Downloads, decodes, and executes scripts from an external server (IP: 89.44.9[.]227).
– **On Windows:**
– Extracts and runs a Visual Basic Script and a Python script.
– The VBScript acts as a launcher for further malicious actions and can download a harmful executable disguised as “chrome.exe.”
5. **Goals of the Attack:**
– The primary objective appears to be **credential theft**, particularly targeting AWS access and secret keys using the **Boto3 SDK**.
– Compromised credentials could lead to unauthorized access to sensitive cloud resources.
6. **Current Status:**
– The “fabrice” package is still available for download on PyPI, highlighting the need for awareness and action against such threats in the developer community.
7. **Call to Action:**
– Developers should remain vigilant regarding similar typosquatting attacks and verify package authenticity before installation.
For ongoing updates on cybersecurity, follow us on Twitter and LinkedIn.