Summary:
The Socket Research Team has uncovered a malicious Python package named “fabrice” that is typosquatting the legitimate “fabric” SSH automation library. This package has been silently exfiltrating AWS credentials since 2021, with over 37,000 downloads. It employs various techniques to execute malicious actions on both Linux and Windows systems, highlighting the risks associated with using open source software. Developers are urged to secure their dependencies against such threats.
#Typosquatting #CredentialTheft #OpenSourceRisks
The Socket Research Team has uncovered a malicious Python package named “fabrice” that is typosquatting the legitimate “fabric” SSH automation library. This package has been silently exfiltrating AWS credentials since 2021, with over 37,000 downloads. It employs various techniques to execute malicious actions on both Linux and Windows systems, highlighting the risks associated with using open source software. Developers are urged to secure their dependencies against such threats.
#Typosquatting #CredentialTheft #OpenSourceRisks
Keypoints:
Discovery of the malicious Python package “fabrice” on PyPI.
Fabrice is designed to typosquat the popular “fabric” library, exploiting developer trust.
The package has been active since 2021, with over 37,000 downloads.
It exfiltrates AWS credentials and executes malicious scripts on both Linux and Windows.
Linux systems are targeted using a function called linuxThread() to download and execute scripts.
Windows systems are targeted using a function called winThread() that runs hidden scripts for persistence.
The primary goal of fabrice is to steal AWS access and secret keys.
Socket Research Team has reported the package to the PyPI team for takedown.
Developers are encouraged to use tools like Socket for monitoring dependencies.
MITRE Techniques:
Credential Dumping (T1003): Utilizes the boto3 library to gather AWS access and secret keys for exfiltration.
Command and Control (T1071): Sends stolen credentials to a remote server (89.44.9.227) for data exfiltration.
Malicious Script Execution (T1059): Executes downloaded scripts on both Linux and Windows systems to maintain persistence.
Obfuscated Files or Information (T1027): Uses obfuscation techniques for URLs and scripts to evade detection.
Scheduled Task/Job (T1053): Creates a scheduled task on Windows to ensure the malicious executable runs periodically.
IoC:
[IP Address] 89[.]44[.]9[.]227
[File Name] chrome.exe
[File Name] d.py
[File Name] p.vbs
[File Name] per.sh
[File Name] app.py
[File Name] info.py
Full Research: https://socket.dev/blog/malicious-python-package-typosquats-fabric-ssh-library