Blog Details

  • Home
  • Blog
  • Malicious Python Package "Fabrice" Targets AWS Credentials in Typosquatting Attack
Malicious Python Package "Fabrice" Targets AWS Credentials in Typosquatting Attack

Malicious Python Package "Fabrice" Targets AWS Credentials in Typosquatting Attack

Cybersecurity researchers have identified a malicious Python package named "fabrice" on the Python Package Index (PyPI) that has been targeting developers' Amazon Web Services (AWS) credentials through a sophisticated typosquatting attack. Disguised as the legitimate package "fabric," which facilitates remote SSH command execution, this malicious version has racked up over 37,100 downloads since it was published in March 2021.

What is Typosquatting, and How Did "Fabrice" Exploit It?

Typosquatting is a technique that capitalizes on minor misspellings or typos of popular package names to trick developers into downloading the malicious package. In this case, "fabrice" closely mimics "fabric," a well-known package with over 202 million downloads. By using this deceptive naming tactic, "fabrice" was able to evade detection and gain widespread distribution for over three years.

How "Fabrice" Operates Across Platforms

Once installed, the "fabrice" package functions differently depending on the operating system it detects, deploying customized payloads on Linux and Windows:

  1. Linux Payloads: The package downloads, decodes, and executes four distinct shell scripts from an external server, located at "89.44.9[.]227". These scripts are designed to gather credentials and establish backdoors on the infected system.
  2. Windows Payloads: "Fabrice" executes a Visual Basic Script (VBScript) file ("p.vbs") to initiate a hidden Python script ("d.py"), stored in the Downloads folder. This script subsequently downloads a malicious executable file ("chrome.exe") and sets up a persistence mechanism using scheduled tasks to execute the file every 15 minutes.

The end goal of both payloads is credential theft, specifically targeting AWS access and secret keys through the Boto3 SDK, exfiltrating these credentials to the attacker's remote server.

Why AWS Credentials are Targeted

By collecting AWS access keys, the attacker gains potential access to sensitive cloud resources managed by unsuspecting developers. This can include everything from personal data to corporate databases, cloud-hosted applications, and more, putting affected organizations at risk of data breaches, unauthorized access, and financial losses.

Lessons for Developers

This attack highlights the risks of typosquatting and the importance of verifying package authenticity on PyPI and other repositories. To protect against similar threats, developers should:

  1. Double-check package names before downloading and installing them.
  2. Use security tools that monitor for suspicious packages on PyPI.
  3. Scan packages for malicious code or unexpected payloads, especially when working with sensitive data.

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067