Fabrice malware, a PyPI typosquatting supply chain attack, steals AWS credentials from Linux & Windows. Learn how to protect against similar threats.

Continue reading
A malicious Python package named `fabrice` has infiltrated the Python Package Index (PyPI) since 2021. It targets developers by impersonating the legitimate 'fabric' library—a widely-used tool for SSH automation. This type of attack, known as typosquatting, tricks users into installing a harmful package with a similar name.
This attack exploits the trust developers place in commonly used libraries, allowing attackers to easily infiltrate projects with minimal effort.
Typosquatting is a particularly effective technique because it relies on human error—developers might mistype the name of a package or fail to notice a subtle difference in spelling.
By mimicking the legitimate package name, attackers create a situation where unsuspecting users unknowingly introduce malicious software into their environments. The 'fabrice' package was downloaded over 37,000 times, indicating how successful such attacks can be.
Once installed, 'fabrice' carries out platform-specific malicious actions on both Linux and Windows systems, primarily aimed at stealing credentials and maintaining long-term access. The malware behaves differently depending on the host operating system, tailoring its actions to maximize impact and avoid detection.
On Linux, `fabrice` creates hidden directories and downloads obfuscated payloads (payloads that are intentionally made difficult to understand in order to hide malicious actions), ensuring persistence while evading detection. Specifically, it sets up hidden directories in the user's home directory, such as `~/.local/bin/vscode`, to store malicious files. These files are downloaded from an external server controlled by the attacker, making it difficult for traditional security tools to detect them.
The obfuscated payloads are designed to execute commands with the same privileges as the user, allowing the attacker to establish a foothold in the system. By using obfuscation techniques, the malware makes it challenging for security analysts to analyze its true intent. These hidden directories are rarely inspected by users, which helps the malware maintain a low profile and persist on the system for extended periods.
On Windows, `fabrice` takes a slightly different approach. It downloads an encoded payload (in base64 format) that contains a VBScript (`p.vbs`). This VBScript is responsible for launching another hidden Python script (`d.py`).
The use of VBScript helps maintain stealth, as it allows the malware to execute Python code without opening a visible command prompt window.
The Python script (`d.py`) downloads a malicious executable (`chrome.exe`), which is stored in the user's Downloads folder. The executable's purpose is to establish persistence by creating a scheduled task that runs every 15 minutes. This ensures that even if the system reboots, the malware will continue to execute and maintain control.
By using legitimate Windows features like scheduled tasks, 'fabrice' blends in with typical system behavior, making it more difficult for traditional antivirus solutions to detect its presence.
With over 37,000 downloads, largely due to the popularity of the legitimate 'fabric' library, this sophisticated supply chain attack highlights the risks inherent in open-source dependencies. Attackers leverage typosquatting to compromise unsuspecting developers, exfiltrate sensitive credentials, and establish backdoors for long-term system access.
Open-source software is a cornerstone of modern development, offering flexibility, cost savings, and community-driven innovation. However, it also presents a significant risk when malicious actors exploit the open nature of these ecosystems. By targeting widely used packages like 'fabric', attackers can infiltrate numerous projects and organizations with a single malicious package. This highlights the importance of verifying package authenticity before installation.
The consequences of such supply chain attacks are severe. In the case of 'fabrice', the primary objective is to steal AWS credentials. These credentials are invaluable to attackers, as they can provide access to sensitive cloud resources, allowing them to exfiltrate data, run costly operations, or even take control of cloud infrastructure. The use of the official Python SDK (`boto3`) to access AWS credentials means that any system running 'fabrice' could inadvertently leak cloud access keys, leading to substantial security breaches and financial losses.
The success of 'fabrice' also points to the need for enhanced monitoring and proactive defense mechanisms in the software development lifecycle. Developers and organizations must adopt best practices, such as using package management tools that verify the integrity of software components, implementing multi-factor authentication for cloud accounts, and conducting regular security audits of dependencies.
Mitigating the risk of typosquatting and supply chain attacks requires a combination of vigilance and proactive measures. Here are some strategies that developers and organizations can adopt to protect themselves from similar threats:
The popularity of open-source libraries like `fabric` makes them an attractive target for cybercriminals. With over 37,000 downloads, `fabrice` demonstrates how quickly malicious packages can spread within the developer community. Developers and organizations must remain vigilant, adopt best practices for dependency management, and take proactive steps to secure their software supply chains.
To learn more about how to secure your systems and protect against similar attacks, discover the comprehensive analysis of the Fabrice Malware Threat Research here.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.