Home Security Malicious PyPI Package ‘Fabrice’ Found Stealing AWS Keys from Thousands of Developers

Malicious PyPI Package ‘Fabrice’ Found Stealing AWS Keys from Thousands of Developers

by


Nov 07, 2024Ravie LakshmananVulnerability / Cloud Security

Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) that has racked up thousands of downloads for over three years while stealthily exfiltrating developers’ Amazon Web Services (AWS) credentials.

The package in question is “fabrice,” which typosquats a popular Python library known as “fabric,” which is designed to execute shell commands remotely over SSH.

While the legitimate package has over 202 million downloads, its malicious counterpart has been downloaded more than 37,100 times to date. As of writing, “fabrice” is still available for download from PyPI. It was first published in March 2021.

Cybersecurity

The typosquatting package is designed to exploit the trust associated with “fabric,” incorporating “payloads that steal credentials, create backdoors, and execute platform-specific scripts,” security firm Socket said.

“Fabrice” is designed to carry out its malicious actions based on the operating system on which it’s installed. On Linux machines, it uses a specific function to download, decode, and execute four different shell scripts from an external server (“89.44.9[.]227”).

On systems running Windows, two different payloads – a Visual Basic Script (“p.vbs”) and a Python script – are extracted and executed, with the former running a hidden Python script (“d.py”) stored in the Downloads folder.

“This VBScript functions as a launcher, allowing the Python script to execute commands or initiate further payloads as designed by the attacker,” security researchers Dhanesh Dodia, Sambarathi Sai, and Dwijay Chintakunta said.

The other Python script is designed to download a malicious executable from the same remote server, save it as “chrome.exe” in the Downloads folder, set up persistence using scheduled tasks to run the binary every 15 minutes, and finally delete the “d.py” file.

Cybersecurity

The end goal of the package, regardless of the operating system, appears to be credential theft, gathering AWS access and secret keys using the Boto3 AWS Software Development Kit (SDK) for Python and exfiltrating the information back to the server.

“By collecting AWS keys, the attacker gains access to potentially sensitive cloud resources,” the researchers said. “The fabrice package represents a sophisticated typosquatting attack, crafted to impersonate the trusted fabric library and exploit unsuspecting developers by gaining unauthorized access to sensitive credentials on both Linux and Windows systems.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex