A malicious package on the Python Package Index (PyPi) has been quietly exfiltrating Amazon Web Service credentials from developers for over three years, a new report from cybersecurity researchers at Socket has revealed.
The package “fabrice” is a typosquat of the popular Python library “fabric” used for executing remote shell commands. It has been downloaded more than 37,000 times and, despite detection, remains available on PyPi.
For Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start, the long-term nature of the campaign suggests a calculated approach by advanced threat actors.
“This approach aligns with a trend where attackers prioritize persistent access over immediate impact, likely understanding that collecting AWS credentials over time allows them to build an extensive, high-value data set gradually. This collected data can be leveraged for deeper access to target environments, sold to other threat actors, or monetized in phases, maximizing the breach’s longevity and value,” she said.
The typosquatting package exploits the trust associated with “fabric” – which boasts over 202 million downloads – to deliver payloads that steal credentials, create backdoors, and execute platform-specific scripts.
Rom Carmel, Co-Founder and CEO of Apono, argues that while improving security awareness education and implementing processes for secure coding can help developers make more secure decisions, security teams need to do more to mitigate the impacts of credential theft.
“Protecting your organization once credentials are compromised, as we see on a near daily basis, requires thinking in terms of defense-in-depth. That means implementing not only MFA but reducing the blast radius from an account takeover in terms of the availability of access and the scope of privileges that attackers can use,” he said.
This discovery has added weight to the argument for greater scrutiny of software supply chains. Guenther argues that current supply chain security strategies have a blind spot, whereby traditional security tools overlook vulnerabilities within software repositories and development environments.
“Attackers exploit this oversight, targeting open-source packages as an entry point where rigorous vetting processes are often absent,” she said.
To protect against these threats, Guenther suggests that intelligence teams implement repository monitoring, supply chain threat monitoring, and continuous awareness and security standards for developers.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
