InfoSecBulletin Cybersecurity for mankind
The Socket Research Team has discovered a malicious package named “fabrice,” pretending to be the legitimate fabric SSH automation library. Since its introduction on PyPI in 2021, fabrice has been stealing AWS credentials from users who mistakenly installed it. With over 37,000 downloads, this incident underscores ongoing risks of malware in open-source repositories.
The malicious fabrice package employs various techniques to deliver its payload, with different malicious actions tailored for Linux and Windows environments:
Delay patching leaves about 50,000 Fortinet firewalls to zero-day attack
Daily Security Update Dated: 21.01.2025
126 Linux kernel Vulns Allow Attackers Exploit 78 Linux Sub-Systems
CERT-UA alerts about “security audit” requests through AnyDesk
Oracle Critical Pre-Release update addressed 320 flaw
OWASP Reveils Top 10 Smart Contract Vulnerabilities for 2025
Multiple Azure DevOps Vulns Allow To Inject CRLF Queries & Rebind DNS
Intel holds 22 employees from one Bangladeshi University
VPN Surge 1500% in USA after TikTok Shut Down
MITRE Launches D3FEND 1.0; The Milestone for Cybersecurity Ontology
On Linux Systems:
The package uses a function called linuxThread() to download and execute hidden scripts from an external server. According to the research, “the linuxThread() function creates a hidden directory (~/.local/bin/vscode) where it stores downloaded payloads”, making detection difficult. Additionally, the package connects to a VPN server at IP address 89.44.9.227 to download these malicious scripts, using obfuscation techniques to avoid detection.
On Windows Systems:
The Windows version, using the winThread() function, relies on base64-encoded payloads stored in variables vv and zz. The research explains that “the vv variable decodes into a VBScript (p.vbs) that runs a hidden Python script (d.py)”, which then downloads further malicious executables. The zz script establishes persistence by scheduling tasks to re-execute the malicious code, maintaining the attack’s presence even after system reboots.
Fabrics primarily aims to steal AWS credentials. Using the boto3 library, it grabs AWS access and secret keys from compromised environments. After collecting these keys, they are sent to a VPN endpoint, making it difficult for victims to trace. As noted in the report, this gives attackers access to sensitive cloud resources, risking unauthorized data exposure.
The malware is platform-agnostic, using a test() function to identify the operating system and run the relevant malicious thread for both Linux and Windows users. This design expands its potential impact across different systems.
Typosquatting attacks, where harmful packages mimic trusted libraries, pose a significant risk in open-source software. The legitimate fabric library by bitprophet has over 201 million downloads and is widely trusted.
Attackers exploited this trust with a malicious package named fabrice, leading to credential theft and backdoor installations on unsuspecting systems.
