A malicious Python package called "Fabrice" that’s been live on PyPI since 2021 has been typosquatting the popular Fabric SSH automation library, quietly exfiltrating AWS credentials by making more than 37,000 downloads.
The Socket Research Team said in a Nov. 6 post that the legitimate Fabric library has more than 201 million downloads and has earned the trust of developers worldwide. Fabric operates as a high-level Python (2.7, 3.4+) library that executes shell commands remotely over SSH, yielding useful Python objects in return.
According to the Socket Research Team, Fabrice was designed to exploit this trust: it contains payloads that steal credentials, create backdoors, and execute platform-specific scripts.
“The Fabrice package represents a sophisticated typosquatting attack, crafted to…exploit unsuspecting developers by gaining unauthorized access to sensitive credentials on both Linux and Windows systems,” wrote the researchers. “Through obfuscated URLs, encoded payloads, and a VPN-based proxy server for covert data exfiltration, this attack underscores the critical importance of using tools that will alert you to this behavior before it lands in your codebase.
The long-term nature of the Fabrice package, which remained active on PyPI for over three years, reflects a calculated, strategic patience often associated with advanced, resourceful threat actors, explained Callie Guenther, senior manager of cyber threat research at Critical Start.
Guenther, an SC Media columnist, said this approach aligns with a trend where attackers prioritize persistent access over immediate impact, likely understanding that collecting AWS credentials over time allows them to gradually build an extensive, high-value data set.
“This collected data can be leveraged for deeper access to target environments, sold to other threat actors, or monetized in phases, maximizing the breach’s longevity and value,” said Guenther. “Typosquatting is an age-old tactic, yet it continues to yield results, especially within the open-source ecosystem where reliance on third-party packages is widespread and often unchecked.”
Guenther added that the intent behind collecting AWS credentials suggests that the attacker either had or anticipated future access to AWS-based infrastructure. AWS credentials offer a pivot-point into cloud-based assets, allowing threat actors not only to exfiltrate data but also to establish secondary backdoors, deploy further payloads, or disrupt operations through data destruction or encryption.
“This focus on cloud credentials indicates an understanding of how critical AWS environments are to the operations of many organizations,” said Guenther. This credential-theft approach points to a calculated, highly valuable attack path.
When a non-human identity (NHI) gets exploited, it’s often just an entry point for attackers to quietly compromise additional identities and assets, said Itzik Alvas, co-founder and CEO at Entro Security. Alvas said while IBM estimates it can take up to a year for companies to identify and mitigate compromised identities in their environments, the “Fabrice” exploit is a good example of how these statistics are only based on the exploits that have been uncovered.
“There are potentially many undetected multi-year exploits such as this one that lay dormant in various environments, feeding on additional credentials to establish larger payloads without detection,” said Alvas. “This exploit also underscores the necessity of rapidly detecting and responding to abnormal behaviors related to NHIs. Once an attacker’s entered an environment with a compromised NHI it’s only a matter of time before they are able to obtain additional credentials.”
