Malicious PyPI Package 'Fabrice' Found Stealing AWS Keys from Thousands of Developers
Summary:
Cybersecurity experts recently uncovered a malicious package on PyPI, "fabrice," which has been secretly stealing AWS credentials from developers since its launch in March 2021. Typosquatting on the popular Python library "fabric," which facilitates remote command execution over SSH and has over 202 million downloads, "fabrice" has racked up more than 37,100 downloads as of now. This stealthy package exploits developers’ trust in "fabric" by mimicking its name and functionality while embedding malicious payloads designed to exfiltrate sensitive credentials, establish backdoors, and execute platform-specific scripts.
"Fabrice" customizes its attack methods depending on the operating system. On Linux systems, the package employs a particular function to download, decode, and execute four separate shell scripts from a remote server. These scripts allow the attacker to control the infected system remotely and execute commands as needed. In contrast, on Windows systems, "fabrice" deploys two distinct payloads: a Visual Basic Script and a Python script. The VBScript functions as a launcher that runs the hidden Python script, saved in the Downloads folder, enabling the attacker to execute commands or initiate further payloads on the system.
A secondary malicious Python script embedded in the package initiates the download of a fake executable from the same server. This executable is placed in the Downloads folder and persists by scheduling itself to run every 15 minutes. The script also deletes the original "d.py" file to cover its tracks, ensuring that the malicious processes remain undetected and active on the infected system.
Security Officer Comments:
The primary objective of "fabrice," regardless of the operating system, is credential theft, specifically targeting AWS access and secret keys. The package uses the Boto3 AWS SDK to gather these keys and transmit them back to the attacker's server. With these stolen credentials, attackers gain unauthorized access to cloud resources, potentially exposing sensitive data, controlling virtual infrastructure, and performing unauthorized actions on the victim’s cloud environment.
Suggested Corrections:
There are a few best practices that you can follow to avoid installing malicious Python packages from the Python Package Index (PyPI):
https://thehackernews.com/2024/11/malicious-pypi-package-fabrice-found.html
Cybersecurity experts recently uncovered a malicious package on PyPI, "fabrice," which has been secretly stealing AWS credentials from developers since its launch in March 2021. Typosquatting on the popular Python library "fabric," which facilitates remote command execution over SSH and has over 202 million downloads, "fabrice" has racked up more than 37,100 downloads as of now. This stealthy package exploits developers’ trust in "fabric" by mimicking its name and functionality while embedding malicious payloads designed to exfiltrate sensitive credentials, establish backdoors, and execute platform-specific scripts.
"Fabrice" customizes its attack methods depending on the operating system. On Linux systems, the package employs a particular function to download, decode, and execute four separate shell scripts from a remote server. These scripts allow the attacker to control the infected system remotely and execute commands as needed. In contrast, on Windows systems, "fabrice" deploys two distinct payloads: a Visual Basic Script and a Python script. The VBScript functions as a launcher that runs the hidden Python script, saved in the Downloads folder, enabling the attacker to execute commands or initiate further payloads on the system.
A secondary malicious Python script embedded in the package initiates the download of a fake executable from the same server. This executable is placed in the Downloads folder and persists by scheduling itself to run every 15 minutes. The script also deletes the original "d.py" file to cover its tracks, ensuring that the malicious processes remain undetected and active on the infected system.
Security Officer Comments:
The primary objective of "fabrice," regardless of the operating system, is credential theft, specifically targeting AWS access and secret keys. The package uses the Boto3 AWS SDK to gather these keys and transmit them back to the attacker's server. With these stolen credentials, attackers gain unauthorized access to cloud resources, potentially exposing sensitive data, controlling virtual infrastructure, and performing unauthorized actions on the victim’s cloud environment.
Suggested Corrections:
There are a few best practices that you can follow to avoid installing malicious Python packages from the Python Package Index (PyPI):
- Use a secure installation method: The recommended way to install packages from PyPI is using pip, the official package manager for Python. Make sure you are using the latest version of pip by running pip install --upgrade pip. You can also use pip to verify the integrity of the package before installation by using the --require-hashes option.
- Use a package manager that checks for package vulnerabilities: Some package managers, such as pipenv, provide built-in support for checking for known vulnerabilities in packages. Using a package manager that checks for vulnerabilities can help protect you from installing packages with known security issues.
- Use a virtual environment: A virtual environment is a tool that helps you isolate specific Python environments on a single machine, allowing you to install packages in an isolated location for a particular project. This can be useful if you are worried about a malicious package affecting your system-wide Python installation.
- Use caution when installing packages from unfamiliar sources: Be cautious when installing packages from sources other than PyPI, as they may not have the same level of security and quality control. If you are unsure about the safety of a package, you can check for reviews or ask for recommendations from a trusted source before installing it.
- Keep your packages up to date: Regularly updating the packages you have installed can help ensure that you have the latest security fixes and features. You can use pip to check for and install updates for all your installed packages by running pip list -o and then pip install -U package_name for each package that has an update available.
https://thehackernews.com/2024/11/malicious-pypi-package-fabrice-found.html