A team of researchers from Socket reported a malicious Python package disguised as the popular library Fabric. This package, present on PyPI since July, has been downloaded more than a thousand times and stealthily abducts AWS accounting data from developers.
The real Fabric library, developed by Bitprophet, has over 200 million downloads and is widely used by experts globally. However, attackers capitalized on its reputation by creating a counterfeit version embedded with malicious code. The Fabrice package is designed to steal access keys, implant backdoors, and execute commands based on the operating system.
On Linux systems, the malicious code is activated through the Linuxthread() function, executing scripts fetched from a remote server. Files are stored in a concealed directory to evade detection, and the server address is obscured to masquerade the harmful activities from antivirus programs.
Conversely, on Windows, the attack utilizes the Winthread() function to download malicious executable files and establish tasks for recurrent execution. This persistence enables the attackers to maintain control over infected devices even after a reboot.
The primary aim of the “Fabrice” package is to pilfer AWS credentials. Leveraging the Boto3 library, the malicious code harvests keys and transmits them to a server on a VPN in Paris, making it challenging to trace the perpetrators and granting them access to victims’ cloud resources.
To bolster security, developers are strongly advised to utilize specialized tools on GitHub that automatically scrutinize dependencies and flag suspicious packages. The Socket team has promptly alerted PyPI about the malevolent package for prompt removal.