Cybersecurity researchers have reported the discovery of an inadvertently leaked GitHub token that could have provided elevated access to the repositories of the Python language, the Python Package Index (PyPI), and the Python Software Foundation (PSF).
JFrog, the firm that found the GitHub Personal Access Token, stated that the secret was exposed in a public Docker container hosted on Docker Hub.
“This incident was highly significant due to the potentially severe consequences if the token had been exploited by malicious actors. It could have allowed someone to inject harmful code into PyPI packages, potentially replacing all Python packages with malicious versions, and even compromise the Python language itself,” said the software supply chain security company.
An attacker could have potentially leveraged their admin access to initiate a large-scale supply chain attack by contaminating the source code of the core Python programming language or the PyPI package manager.
JFrog revealed that the authentication token was discovered within a Docker container, in a compiled Python file (“build.cpython-311.pyc”) that had been unintentionally left behind.
After responsible disclosure on June 28, 2024, the token – which was linked to PyPI Admin Ee Durbin’s GitHub account – was immediately revoked. There is no evidence to suggest that the token was exploited in the wild.
PyPI mentioned that the token was issued sometime before March 3, 2023, but the precise date is unknown because security logs are only retained for 90 days.
“While developing cabotage-app locally and working on the build part of the codebase, I frequently encountered GitHub API rate limits,” Durbin explained.
“These rate limits apply to anonymous access. Although the system is configured as a GitHub App in production, I modified my local files to use my own access token out of convenience, instead of setting up a localhost GitHub App. These changes were never meant to be pushed remotely.”
This disclosure coincides with Checkmarx’s discovery of several malicious packages on PyPI designed to exfiltrate sensitive information to a Telegram bot without the users’ consent or knowledge.
The malicious packages – testbrojct2, proxyfullscraper, proxyalhttp, and proxyfullscrapers – operate by scanning the compromised system for files with extensions such as .py, .php, .zip, .png, .jpg, and .jpeg.