InfoSecBulletin Cybersecurity for mankind
The Socket Research Team has discovered a malicious package named “fabrice,” pretending to be the legitimate fabric SSH automation library. Since its introduction on PyPI in 2021, fabrice has been stealing AWS credentials from users who mistakenly installed it. With over 37,000 downloads, this incident underscores ongoing risks of malware in open-source repositories.
The malicious fabrice package employs various techniques to deliver its payload, with different malicious actions tailored for Linux and Windows environments:
Researcher found non protected database form ESHYFT containig 86000 records
CVE-2024-55591 and CVE-2025-24472
New SuperBlack ransomware exploits Fortinet flaws
CVE-2025-25291 & CVE-2025-25292
Attention! GitLab Patched Critical Authentication Bypass Flaws
CVE-2025-20138
Cisco released High Security Alert for IOS XR Software
400+ IPs Exploiting Multiple SSRF Vulnerabilities
NVIDIA has released update for NVIDIA Riva
CVE-2025-24201
Apple fixes 0-day exploited in “extremely sophisticated attack”
Microsoft’s March 2025 updates fix 7 zero-day, 57 flaws
Ballista Botnet infects 6000 Unpatched TP-Link Routers
CVE-2025-24813
Flaw in Apache Tomcat Exposes Servers to RCE
On Linux Systems:
The package uses a function called linuxThread() to download and execute hidden scripts from an external server. According to the research, “the linuxThread() function creates a hidden directory (~/.local/bin/vscode) where it stores downloaded payloads”, making detection difficult. Additionally, the package connects to a VPN server at IP address 89.44.9.227 to download these malicious scripts, using obfuscation techniques to avoid detection.
On Windows Systems:
The Windows version, using the winThread() function, relies on base64-encoded payloads stored in variables vv and zz. The research explains that “the vv variable decodes into a VBScript (p.vbs) that runs a hidden Python script (d.py)”, which then downloads further malicious executables. The zz script establishes persistence by scheduling tasks to re-execute the malicious code, maintaining the attack’s presence even after system reboots.
Fabrics primarily aims to steal AWS credentials. Using the boto3 library, it grabs AWS access and secret keys from compromised environments. After collecting these keys, they are sent to a VPN endpoint, making it difficult for victims to trace. As noted in the report, this gives attackers access to sensitive cloud resources, risking unauthorized data exposure.
The malware is platform-agnostic, using a test() function to identify the operating system and run the relevant malicious thread for both Linux and Windows users. This design expands its potential impact across different systems.
Typosquatting attacks, where harmful packages mimic trusted libraries, pose a significant risk in open-source software. The legitimate fabric library by bitprophet has over 201 million downloads and is widely trusted.
Attackers exploited this trust with a malicious package named fabrice, leading to credential theft and backdoor installations on unsuspecting systems.
