November 9, 2024 at 03:12PM
A malicious Python package, ‘fabrice,’ has been available on PyPI since 2021, stealing AWS credentials from developers. Downloaded over 37,000 times through typosquatting the legitimate ‘fabric,’ it executes OS-specific scripts for credential theft, exfiltrating them to a VPN server. Users are advised to verify packages and implement IAM for protection.
### Meeting Takeaways on Malicious Python Package ‘fabrice’:
1. **Overview of ‘fabrice’:**
– A malicious package named **’fabrice’** has been on PyPI since **2021**, targeting developers by stealing **Amazon Web Services (AWS)** credentials.
– It has been downloaded over **37,000 times** due to its **typosquatting** of the legitimate library **“fabric,”** which has over **200 million downloads**.
2. **Detection Challenges:**
– The package evaded detection for a long time because advanced scanning tools were implemented after its submission, and few performed **retroactive scans**.
3. **Platform-Specific Behavior:**
– **Linux:**
– Creates a hidden directory at **‘~/.local/bin/vscode’** to store encoded shell scripts fetched from an external server.
– Decodes and grants execution permissions to these scripts, allowing command execution with user privileges.
– **Windows:**
– Downloads a base64 encoded VBScript that triggers a hidden Python script.
– The script downloads a malicious executable (“chrome.exe”) to the Downloads folder and schedules a Windows task to run every **15 minutes** for persistence.
4. **AWS Credentials Theft:**
– Both Linux and Windows versions are designed to steal AWS credentials through **boto3,** pulling credentials from various configured sources.
– Stolen credentials are exfiltrated to a **VPN server** operated by M247 in Paris, complicating traceability.
5. **Recommendations for Mitigation:**
– Users should verify the packages they download from PyPI to mitigate the risks of typosquatting.
– Consider using tools designed to detect and block such threats.
– AWS administrators should utilize **AWS Identity and Access Management (IAM)** to manage access permissions for resources.
These key points highlight the security risks posed by the ‘fabrice’ package and suggest measures to mitigate potential threats.