Keypoints
- Fabrice is a typosquatting package on PyPI impersonating the fabric SSH library and has more than 37,000 downloads.
- The package stealthily gathers AWS credentials via boto3 and sends them to a remote server at 89.44.9.227.
- On Linux, fabrìce creates a hidden directory (~/.local/bin/vscode), downloads obfuscated scripts, writes multiple files, and executes a shell script.
- On Windows, it decodes base64 payloads into a VBScript launcher and a Python payload that drops chrome.exe and creates a scheduled task for persistence.
- Obfuscation techniques include string concatenation for URLs and encoded payload variables (vv and zz) to hinder detection.
- Socket reported the package to the PyPI team and recommends verifying dependencies and using security tools like the Socket app and extension.
MITRE Techniques
- [T1036] Masquerading – The package impersonates a popular library: ‘typosquatting the popular fabric SSH automation library.’
- [T1027] Obfuscated Files or Information – The attacker hides download locations and payloads: ‘obfuscated URLs and encoded payloads.’
- [T1041] Exfiltration Over C2 Channel – Collected credentials are sent to a remote server: ‘silently exfiltrating AWS credentials’ and code that posts to ‘http://89.44.9.227/akkfuifkeifsa.’
- [T1053.005] Scheduled Task/Job – Windows persistence is created via scheduled tasks: ‘schtasks /create /sc minute /mo 15 /tn “chromeUpdate” /tr C:UsersPublicDownloadschrome.exe /F’.
- [T1158] Hidden Files and Directories – Linux payloads are stored in concealed locations: ‘creates a hidden directory (~/.local/bin/vscode) where it stores downloaded payloads.’
Indicators of Compromise
- [IP Address] C2/exfiltration server – 89.44.9.227 (used in multiple download and POST endpoints)
- [URLs/Endpoints] Malicious endpoints – http://89.44.9.227/likjfieksce, http://89.44.9.227/wirkeidnide, http://89.44.9.227/akkfuifkeifsa
- [File names] Dropped/created files – per.sh, service.sh, app.py, info.py (Linux); p.vbs, d.py, chrome.exe (Windows)
- [Package name] Typosquatted PyPI package – fabrice (typosquatting the legitimate fabric package)
- [Scheduled task] Persistence artifact – Scheduled task name “chromeUpdate” created via schtasks
————
Socket’s researchers uncovered a malicious PyPI package, fabrìce, deliberately designed to impersonate the trusted fabric SSH library and trick developers into installing it. Active since 2021 with tens of thousands of downloads, the package uses obfuscated URLs and encoded payloads to fetch and write scripts quietly, then execute them depending on the host operating system.
On Linux, fabrìce creates a hidden directory (~/.local/bin/vscode), downloads a multi-part payload from a remote server, reconstructs several files (service.sh, app.py, info.py, per.sh), sets execution permissions, and runs the installer script. On Windows, the package decodes base64 variables into a VBScript launcher (p.vbs) that runs a hidden Python script (d.py), which then drops an executable (chrome.exe) and installs a scheduled task named “chromeUpdate” to run every 15 minutes, ensuring persistence.
The primary objective appears to be credential theft: the package uses boto3 to collect AWS credentials and POST them to the attacker-controlled IP 89.44.9.227. Socket has reported fabrìce to the PyPI team for takedown and recommends developers verify dependencies, adopt supply-chain protections, and use tooling (such as the Socket GitHub app and web extension) to detect these kinds of supply-chain threats before they reach production.
Read more: https://socket.dev/blog/malicious-python-package-typosquats-fabric-ssh-library