Cybersecurity experts have uncovered a mistakenly leaked GitHub token that could have provided unauthorized access to important repositories such as Python, Python Package Index (PyPI), and Python Software Foundation (PSF) repositories.
JFrog, the company that identified the GitHub Personal Access Token, revealed that the token was exposed in a public Docker container hosted on Docker Hub.
“The potential consequences of this incident are significant, as malicious actors could have injected harmful code into PyPI packages or even compromised the Python programming language itself,” stated the software supply chain security firm JFrog.
An attacker could have exploited this leaked token to carry out a large-scale supply chain attack by tampering with the core Python programming language or the PyPI package manager.
JFrog confirmed that the token was discovered within a Docker container, specifically in a compiled Python file (“build.cpython-311.pyc”) that was mistakenly left unattended.
Following a responsible disclosure on June 28, 2024, the token, associated with the GitHub account of PyPI Admin Ee Durbin, was promptly revoked to prevent any potential misuse. Fortunately, there is no indication that the token was exploited in the wild.
PyPI reported that the token was generated prior to March 3, 2023, but the exact issuance date remains unknown due to the unavailability of security logs beyond 90 days.
During the development of a project locally, Durbin encountered GitHub API rate limits while working on the codebase. To bypass these limits, Durbin admitted to using a personal access token instead of configuring a proper GitHub App, a decision that was not meant for remote deployment.
Recently, Checkmarx uncovered a series of malicious packages on PyPI designed to extract sensitive data to a Telegram bot without user consent or knowledge.
The malicious packages, including testbrojct2, proxyfullscraper, proxyalhttp, and proxyfullscrapers, scan compromised systems for various file extensions to exfiltrate data to a Telegram bot associated with cybercriminal activities in Iraq.
Yehuda Gelb, a researcher at Checkmarx, highlighted that the bot has been operational since 2022 and is involved in financial theft and data exfiltration.