Cybersecurity researchers discovered a malicious package in the Python Package Index (PyPI) that accumulated thousands of downloads over three years while stealing developers’ Amazon Web Services (AWS) credentials.
Package in Review”factory,” which prints a popular Python library known as “fabric” which is for remote execution of shell commands via SSH.
While the legitimate package had over 202 million downloads, its malicious counterpart had downloaded over 37,100 times to date. At the time of writing, fabrice is still available for download from PyPI. It was first published in March 2021.
The typosquatting package is designed to exploit “fabric”-related trust, including “payloads that steal credentials, create backdoors, and execute platform-specific scripts,” security firm Socket said.
Fabrics is designed to perform its malicious activities based on the operating system on which it is installed. On Linux machines, it uses a specific function to download, decode, and execute four different shell scripts from an external server (“89.44.9(.)227”).
On systems running Windows, two different payloads—a Visual Basic Script (“p.vbs”) and a Python script—are extracted and executed, with the former running a hidden Python script (“d.py”) stored in the “Downloads”. .
“This VBScript functions as a launcher, allowing the Python script to execute commands or initiate further payloads as designed by the attacker,” said security researchers Danesh Dodiya, Sambarathi Sai and Vijay Chintakunta.
Another Python script is designed to download the malicious executable from the same remote server, save it as “chrome.exe” in the Downloads folder, set up persistence using scheduled tasks to run the binary every 15 minutes, and finally delete the “d . py” file.
The ultimate goal of the package, regardless of operating system, is to steal credentials, collect AWS access and private keys using Boto3 AWS Software Development Kit (SDK) for Python and passing information back to the server.
“By harvesting AWS keys, an attacker gains access to potentially confidential cloud resources,” the researchers said. “The fabrice package is a sophisticated typosquatting attack designed to impersonate a trusted fabric library and exploit unsuspecting developers by gaining unauthorized access to sensitive credentials on Linux and Windows systems.”
