https://jfrog.com/blog/leaked-pypi-secret-token-revealed-in-binary-preventing-suppy-chain-attack/
Researchers at JFrog have identified a critical security lapse that could have allowed attackers to tamper with the core code of the Python programming language.
The security team discovered a leaked GitHub token with administrator access to the repositories of Python, PyPI (the Python Package Index), and the Python Software Foundation (PSF). This token was found embedded within a compiled Python file (.pyc) stored in a public Docker container on Docker Hub.
Potential Impact of the Leak
An attacker with access to this token could have injected malicious code into core Python libraries or even PyPI packages themselves. This malicious code could then have been distributed to millions of machines worldwide through unsuspecting users installing Python packages.
How the Leak Was Discovered
JFrog’s security research team was able to identify the leaked token because their secret scanning technology can detect sensitive information not only in source code but also within compiled binary files.
Steps Taken to Mitigate the Risk
The JFrog team promptly reported the leak to PyPI’s security team, who revoked the compromised token within 17 minutes. Thankfully, there is no evidence that the token was exploited before it was revoked.
Lessons Learned
This incident highlights the importance of several security practices:
- Shifting Right with Secret Detection: Security scanning should not be limited to source code but should also encompass compiled binaries and other artifacts within production environments.
- Using Fine-Grained Access Controls: Organizations should avoid using tokens with broad access privileges and instead leverage role-based access controls that grant only the minimum permissions required for a specific task.
- Regularly Rotate Tokens: Access tokens should be rotated periodically to limit the potential damage if one is compromised.