Cybersecurity researchers said they discovered an accidentally leaked GitHub token that could have granted elevated access to the GitHub repositories of the Python language, Python Package Index (PyPI), and the Python Software Foundation (PSF) repositories.
JFrog, which found the GitHub Personal Access Token, said the secret was leaked in a public Docker container hosted on Docker Hub.
“This case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands – one could supposedly inject malicious code into PyPI packages (imagine replacing all Python packages with malicious ones), and even to the Python language itself,” the software supply chain security company said.
An attacker could have hypothetically weaponized their admin access to orchestrate a large-scale supply chain attack by poisoning the source code associated with the core of the Python programming language, or the PyPI package manager.
JFrog noted that the authentication token was found inside a Docker container, in a compiled Python file (“build.cpython-311.pyc”) that was inadvertently not cleaned up.
Following responsible disclosure on June 28, 2024, the token – which was issued for the GitHub account linked to PyPI Admin Ee Durbin – was immediately revoked. There is no evidence that the secret was exploited in the wild.
PyPI said the token was issued sometime prior to March 3, 2023, and that the exact date is unknown due to the fact that security logs are unavailable beyond 90 days.
“While developing cabotage-app5 locally, working on the build portion of the codebase, I was consistently running into GitHub API rate limits,” Durbin explained.
“These rate limits apply to anonymous access. While in production the system is configured as a GitHub App, I modified my local files to include my own access token in an act of laziness, rather than configure a localhost GitHub App. These changes were never intended to be pushed remotely.”
The disclosure comes as Checkmarx uncovered a series of malicious packages on PyPI that are designed to exfiltrate sensitive information to a Telegram bot without victims’ consent or knowledge.
The packages in question – testbrojct2, proxyfullscraper, proxyalhttp, and proxyfullscrapers – work by scanning the compromised system for files matching extensions like .py, .php, .zip, .png, .jpg, and .jpeg.
“The Telegram bot is linked to multiple cybercriminal operations based in Iraq,” Checkmarx researcher Yehuda Gelb said, noting the bot’s message history dates all the way back to 2022.
“The bot functions also as an underground marketplace offering social media manipulation services. It has been linked to financial theft and exploits victims by exfiltrating their data.”
