Cybersecurity researchers have identified an accidentally leaked GitHub token that could have granted elevated access to the repositories of the Python language, Python Package Index (PyPI), and the Python Software Foundation (PSF).
JFrog, the company that discovered the GitHub Personal Access Token, reported that the secret was leaked in a public Docker container hosted on Docker Hub.
“This case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands – one could supposedly inject malicious code into PyPI packages (imagine replacing all Python packages with malicious ones), and even to the Python language itself,” the software supply chain security company said.
An attacker with this admin access could have potentially orchestrated a large-scale supply chain attack by poisoning the source code of the Python programming language or the PyPI package manager.
JFrog noted that the authentication token was found inside a Docker container, in a compiled Python file (“build.cpython-311.pyc”) that was inadvertently not cleaned up.
Following responsible disclosure on June 28, 2024, the token – issued for the GitHub account linked to PyPI Admin Ee Durbin – was immediately revoked. There is no evidence that the secret was exploited in the wild.
PyPI said the token was issued sometime prior to March 3, 2023, but the exact date is unknown because security logs are unavailable beyond 90 days.
“While developing cabotage-app5 locally, working on the build portion of the codebase, I was consistently running into GitHub API rate limits,” Durbin explained.
“These rate limits apply to anonymous access. While in production the system is configured as a GitHub App, I modified my local files to include my own access token in an act of laziness, rather than configure a localhost GitHub App. These changes were never intended to be pushed remotely.”
This disclosure comes as Checkmarx uncovered a series of malicious packages on PyPI designed to exfiltrate sensitive information to a Telegram bot without victims’ consent or knowledge.
The packages in question – testbrojct2, proxyfullscraper, proxyalhttp, and proxyfullscrapers – work by scanning the compromised system for files matching extensions like .py, .php, .zip, .png, .jpg, and .jpeg.
“The Telegram bot is linked to multiple cybercriminal operations based in Iraq,” said Checkmarx researcher Yehuda Gelb, noting the bot’s message history dates back to 2022.
“The bot also functions as an underground marketplace offering social media manipulation services. It has been linked to financial theft and exploits victims by exfiltrating their data.”
, and the Python Software Foundation (PSF).){kind=link}