A GitHub token leak could have compromised the entire Python language
What if the Python programming language itself was malicious? It would be the most devastating supply chain attack in human history – but it almost happened after a key GitHub token was accidentally leaked.
Cybersecurity researchers at JFrog recently discovered a GitHub Personal Access Token in a public Docker container hosted on Docker Hub. This token granted elevated access to the GitHub repositories of the Python language, Python Package Index (PyPI), and the Python Software Foundation (PSF).
“This case was exceptional because it is difficult to overestimate the potential consequences if it fell into the wrong hands. One could inject malicious code into PyPI packages (imagine replacing all Python packages with malicious packages), and even into the Python language itself,” the researchers wrote in their paper.
Exposed for months
They added that they found the token in a Docker container in a compiled Python file that had been incorrectly left uncleaned.
According to PyPI, the token was issued before March 3, 2023, but the exact date is impossible to determine since the logs are only valid for 90 days. PyPI Admin Ee Durbin was notified on June 28 of this year, after which the token was revoked.
The Python Package Index (PyPI) is the world’s number one source for Python packages. The open-source platform is a central hub for developers who want to publish and share their Python software and libraries with the community. As such, it is an extremely popular target for cybercriminals interested in supply-chain attacks. By sneaking malicious packages into the platform (or poisoning existing packages), cybercriminals can compromise hundreds of organizations in a single fell swoop.
To make matters worse, many Fortune 100 companies use PyPI in their software products, including Google, Microsoft, Amazon, and Apple.
In late March 2024, the platform was forced to suspend new account and project registrations to address a large-scale cyberattack in which cyber actors attempted to upload hundreds of malicious packages.
Through TheHackerNews