Security researchers at Socket have uncovered a significant security breach in the Python Package Index (PyPI) ecosystem, where a malicious package named ‘fabrice’ had been covertly harvesting Amazon Web Services (AWS) credentials for almost three years. The package, which accumulated over 37,100 downloads, successfully masqueraded as the legitimate ‘fabric’ library through a sophisticated typosquatting attack.
Sophisticated Impersonation Through Typosquatting
The threat actors employed a clever typosquatting technique by creating a package named ‘fabrice’ to mimic the popular ‘fabric’ library, which boasts over 202 million downloads and is widely used for SSH-based command execution. This impersonation strategy effectively exploited developers’ potential typing mistakes during package installation, demonstrating the ongoing risks in software supply chain security.
Multi-Platform Attack Mechanisms
The malicious package demonstrated sophisticated cross-platform functionality, implementing distinct attack vectors for different operating systems. On Linux systems, the malware orchestrated the download, decoding, and execution of four distinct shell scripts from a remote command-and-control server.
Windows-Specific Infection Chain
For Windows targets, the malware deployed a more complex, multi-stage attack sequence. The infection chain began with a VBScript launcher that executed a concealed Python script (d.py) from the Downloads directory. Subsequently, the malware deployed an executable disguised as chrome.exe, establishing persistence through scheduled tasks with 15-minute execution intervals.
AWS Credential Exfiltration Methodology
The primary objective of this campaign was the systematic theft of AWS credentials. The malware leveraged the Boto3 AWS SDK for Python to harvest access keys and other sensitive authentication data, transmitting the stolen credentials to attacker-controlled servers. This sophisticated approach potentially granted unauthorized access to victims’ cloud infrastructure and resources.
This incident serves as a critical reminder of the importance of implementing robust security practices in software development workflows. Organizations should implement automated security scanning tools, maintain strict package verification processes, and regularly audit their dependencies. Development teams must exercise particular caution with packages having names similar to popular libraries, as typosquatting remains a prevalent attack vector in software supply chain compromises. Regular security training and the implementation of least-privilege access principles can significantly reduce the risk of such sophisticated supply chain attacks.
