Cybersecurity researchers have identified a malicious Python package named "fabrice" on the Python Package Index (PyPI) that has been targeting developers' Amazon Web Services (AWS) credentials through a sophisticated typosquatting attack. Disguised as the legitimate package "fabric," which facilitates remote SSH command execution, this malicious version has racked up over 37,100 downloads since it was published in March 2021.
What is Typosquatting, and How Did "Fabrice" Exploit It?
Typosquatting is a technique that capitalizes on minor misspellings or typos of popular package names to trick developers into downloading the malicious package. In this case, "fabrice" closely mimics "fabric," a well-known package with over 202 million downloads. By using this deceptive naming tactic, "fabrice" was able to evade detection and gain widespread distribution for over three years.
How "Fabrice" Operates Across Platforms
Once installed, the "fabrice" package functions differently depending on the operating system it detects, deploying customized payloads on Linux and Windows:
The end goal of both payloads is credential theft, specifically targeting AWS access and secret keys through the Boto3 SDK, exfiltrating these credentials to the attacker's remote server.
Why AWS Credentials are Targeted
By collecting AWS access keys, the attacker gains potential access to sensitive cloud resources managed by unsuspecting developers. This can include everything from personal data to corporate databases, cloud-hosted applications, and more, putting affected organizations at risk of data breaches, unauthorized access, and financial losses.
Lessons for Developers
This attack highlights the risks of typosquatting and the importance of verifying package authenticity on PyPI and other repositories. To protect against similar threats, developers should:
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067