fbpx

Cybersecurity researchers have discovered an accidentally leaked GitHub token that could have granted elevated access to the GitHub repositories of the Python language, Python Package Index (PyPI), and the Python Software Foundation (PSF). JFrog, the firm that identified the GitHub Personal Access Token, reported that the secret was leaked in a public Docker container hosted on Docker Hub.

You might be interested in: Eldorado Ransomware Attacks Windows and Linux

“This case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands – one could supposedly inject malicious code into PyPI packages (imagine replacing all Python packages with malicious ones), and even into the Python language itself,” said JFrog, a software supply chain security company. An attacker could have hypothetically weaponized their admin access to orchestrate a large-scale supply chain attack by poisoning the source code associated with the core of the Python programming language or the PyPI package manager.

JFrog noted that the authentication token was found inside a Docker container, in a compiled Python file (“build.cpython-311.pyc”) that was inadvertently not cleaned up. Following responsible disclosure on June 28, 2024, the token – issued for the GitHub account linked to PyPI Admin Ee Durbin – was immediately revoked. There is no evidence that the secret was exploited in the wild. PyPI stated that the token was issued sometime prior to March 3, 2023, but the exact date is unknown because security logs are unavailable beyond 90 days.

“While developing cabotage-app5 locally, working on the build portion of the codebase, I was consistently running into GitHub API rate limits,” Durbin explained. “These rate limits apply to anonymous access. While in production the system is configured as a GitHub App, I modified my local files to include my own access token in an act of laziness, rather than configure a localhost GitHub App. These changes were never intended to be pushed remotely.”

The disclosure comes as Checkmarx uncovered a series of malicious packages on PyPI designed to exfiltrate sensitive information to a Telegram bot without victims’ consent or knowledge. The packages in question – testbrojct2, proxyfullscraper, proxyalhttp, and proxyfullscrapers – work by scanning the compromised system for files matching extensions like .py, .php, .zip, .png, .jpg, and .jpeg.

“The Telegram bot is linked to multiple cybercriminal operations based in Iraq,” said Checkmarx researcher Yehuda Gelb, noting the bot’s message history dates back to 2022. “The bot functions also as an underground marketplace offering social media manipulation services. It has been linked to financial theft and exploits victims by exfiltrating their data.”

MANAGED CYBERSECURITY SOLUTIONS

Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.

GO TO CYBERSECURITY SOLUTIONS

About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

Privacy Preference Center