Socket cybersecurity researchers have discovered a malicious Python package on the Python Package Index (PyPI). Over the past three years, this package has seen 37,000 downloads and has exfiltrated users’ Amazon Web Services (AWS) credentials. The package is a typosquat package of the well known ‘fabric’ SSH library and is called ‘fabrice.’

Rom Carmel, Co-Founder and CEO at Apono, states, “Malicious actors continue to find success by putting malicious software packages out into the developer community, playing a numbers game that a percentage of developers will make the very human mistake of choosing the wrong package for their code. 

“While methods like improving security awareness education and implementing processes for secure coding can go a long way in helping developers to make more secure decisions, like we see with phishing, security teams need to take steps to secure their organizations from an assumed breach approach. 

“Protecting your organization once credentials are compromised, like we see on a near daily basis, we need to think in terms of defense-in-depth. That means implementing not only MFA, but reducing the blast radius from an account takeover in terms of the availability of access and the scope of privileges that attackers can use.”

In a statement provided to Security magazine, an AWS spokesperson said, “We recommend customers who use the legitimate software ‘fabric’ for SSH interactions ensure they are not inadvertently using the malware ‘fabrice.’ AWS customers who suspect malicious activity within their AWS accounts or credentials should follow guidance for remediating potentially compromised AWS credentials or contact AWS Support for assistance. Maintaining proper software supply chain security, including validating the correct source code and name of any software or dependency installed, reduces the risk posed by packages that abuse credentials. AWS contributes to the software supply chain security of Python’s open source ecosystem through an industry first Python Package Index (PyPi) Security Sponsorship with Python Software Foundation.”