InfoSecBulletin Cybersecurity for mankind
The Socket Research Team has discovered a malicious package named “fabrice,” pretending to be the legitimate fabric SSH automation library. Since its introduction on PyPI in 2021, fabrice has been stealing AWS credentials from users who mistakenly installed it. With over 37,000 downloads, this incident underscores ongoing risks of malware in open-source repositories.
The malicious fabrice package employs various techniques to deliver its payload, with different malicious actions tailored for Linux and Windows environments:
B1ack’s Stash Releases 1 Million Credit Cards on a Deep Web Forum
Cisco Confirms
Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks
AWS Key Hunter
Test this free automated tool to hunt for exposed AWS secrets
Check Point Flaw Used to Deploy ShadowPad and Ransomware
CVE-2024-12284
Citrix Issues Security Update for NetScaler Console
CISA and FBI ALERT
Ghost ransomware to breach organizations in 70 countries
Hacker chains multiple vulns to attack Palo Alto Firewall
150 Gov.t Portal affected
Black-Hat SEO Poisoning Indian “.gov.in, .ac.in” domain
CVE-2018-19410 Exposes 600 PRTG Instances in Bangladesh
Builder claims Rs 150 cr for data loss; AWS faces FIR In Bengaluru
On Linux Systems:
The package uses a function called linuxThread() to download and execute hidden scripts from an external server. According to the research, “the linuxThread() function creates a hidden directory (~/.local/bin/vscode) where it stores downloaded payloads”, making detection difficult. Additionally, the package connects to a VPN server at IP address 89.44.9.227 to download these malicious scripts, using obfuscation techniques to avoid detection.
On Windows Systems:
The Windows version, using the winThread() function, relies on base64-encoded payloads stored in variables vv and zz. The research explains that “the vv variable decodes into a VBScript (p.vbs) that runs a hidden Python script (d.py)”, which then downloads further malicious executables. The zz script establishes persistence by scheduling tasks to re-execute the malicious code, maintaining the attack’s presence even after system reboots.
Fabrics primarily aims to steal AWS credentials. Using the boto3 library, it grabs AWS access and secret keys from compromised environments. After collecting these keys, they are sent to a VPN endpoint, making it difficult for victims to trace. As noted in the report, this gives attackers access to sensitive cloud resources, risking unauthorized data exposure.
The malware is platform-agnostic, using a test() function to identify the operating system and run the relevant malicious thread for both Linux and Windows users. This design expands its potential impact across different systems.
Typosquatting attacks, where harmful packages mimic trusted libraries, pose a significant risk in open-source software. The legitimate fabric library by bitprophet has over 201 million downloads and is widely trusted.
Attackers exploited this trust with a malicious package named fabrice, leading to credential theft and backdoor installations on unsuspecting systems.
