Malicious PyPI Package “fabrice” Stole AWS Credentials for 3 Years

A team of researchers from Socket has discovered a malicious Python package named fabrice, disguised as the popular library fabric. This package, which has been present on PyPI since 2021 and downloaded over 37,000 times, secretly steals AWS credentials from developers.

The legitimate fabric library, developed by bitprophet, is widely used by professionals around the world and has over 200 million downloads. However, attackers exploited this trust by creating a lookalike package containing malicious code. The fabrice package steals access keys, creates backdoors, and executes commands depending on the operating system.

How the Malicious Code Works

• On Linux: The malicious code runs via the linuxThread() function, which downloads and executes scripts from a remote server. A hidden directory is used to store downloaded files, making them harder to detect. The server address is obfuscated to help evade antivirus detection.
• On Windows: The system is infected using the winThread() function, which downloads malicious executables and creates scheduled tasks for their regular execution. This allows attackers to maintain access to compromised devices even after a reboot.

Main Target: AWS Credentials

The primary goal of fabrice is to steal AWS credentials. Using the boto3 library, the malicious code extracts keys and sends them to a server located on a VPN in Paris. This makes it difficult to trace the attackers and allows them to access victims’ cloud resources.

How to Stay Safe

To stay secure, developers are strongly advised to use specialized tools for GitHub that automatically check dependencies and detect suspicious packages. The Socket team has already notified PyPI about the malicious package so it can be removed.