Malicious Python package Targets AWS Credentials, Impacts 37,000 Developers

A team of researchers from Socket has uncovered a malicious Python package named “fabrice,” deceptively masquerading as the popular library “fabric.” This package, present on PyPI since 2021 and downloaded over 37,000 times, discreetly steals AWS credentials from developers.

The genuine “fabric” library, developed by bitprophet, is utilized by countless professionals worldwide, boasting over 200 million downloads. However, the attackers exploited its reputation, crafting a similar package embedded with malicious code. The “fabrice” package exfiltrates access keys, establishes backdoors, and executes commands based on the operating system.

On Linux, the malicious code initiates via the linuxThread() function, which downloads and runs scripts from a remote server. A hidden directory is employed to store these files, complicating their detection. The server address is obfuscated, aiding in evading antivirus scrutiny.

On Windows, the system is compromised through the winThread() function, which downloads malicious executables and schedules tasks for their periodic execution. This ensures the attackers retain access to infected devices even after reboot.

The primary objective of “fabrice” is the theft of AWS credentials. Leveraging the boto3 library, the malware extracts access keys and transmits them to a server hosted on a VPN in Paris, complicating the tracking of the perpetrators and granting them access to the victims’ cloud resources.

To enhance security, developers are strongly encouraged to utilize specialized GitHub tools that automatically scan dependencies and detect suspicious packages. The Socket team has already notified PyPI about the malicious package to facilitate its removal.