July 12th, 2024

Leaked admin access token to Python, PyPI, and PSF GitHub repos

The JFrog Security Research team discovered a leaked admin access token for Python repositories on GitHub. PyPI promptly revoked the token, preventing a supply chain attack. Emphasizes the importance of scanning binaries for security.

Read original articleLink Icon
Leaked admin access token to Python, PyPI, and PSF GitHub repos

The JFrog Security Research team uncovered a leaked access token with administrator privileges to critical Python repositories on GitHub, potentially leading to a catastrophic supply chain attack. The team swiftly reported the issue to PyPI, which revoked the token within 17 minutes, preventing any malicious exploitation. The incident highlighted the importance of scanning for secrets in binaries, not just in source code, to enhance security measures. The leaked token could have allowed an attacker to inject malicious code into Python packages or manipulate PyPI's Warehouse code, posing significant risks to millions of users worldwide. The post emphasized the necessity of using modern access tokens with limited privileges and the significance of scanning binary artifacts for leaked secrets. JFrog's secret detection engine successfully identified the leaked token in a compiled Python binary file, showcasing the effectiveness of comprehensive scanning methods. This incident underscores the critical role of proactive security measures in safeguarding software supply chains against potential threats.

Related

Rabbit data breach: all r1 responses ever given can be downloaded

Rabbit data breach: all r1 responses ever given can be downloaded

A data breach at Rabbit Inc. exposed critical API keys for ElevenLabs, Azure, Yelp, and Google Maps, compromising personal information and enabling malicious actions. Rabbit Inc. has not addressed the issue, urging users to unlink Rabbithole connections.

R1 jailbreakers find security flaw in Rabbit's code

R1 jailbreakers find security flaw in Rabbit's code

A group of R1 jailbreakers discovered a security flaw in Rabbit's code, exposing hardcoded API keys. Rabbit took action after a month, revoking most compromised keys. The breach complicates Rabbit's recovery from R1 AI gadget issues.

3M iOS and macOS apps were exposed to potent supply-chain attacks

3M iOS and macOS apps were exposed to potent supply-chain attacks

Vulnerabilities in CocoaPods server exposed 3 million apps to supply-chain attacks for a decade. Flaws allowed hackers to inject malicious code, compromising sensitive user data. Developers urged to prioritize security measures.

'Almost every Apple device' vulnerable to CocoaPods

'Almost every Apple device' vulnerable to CocoaPods

Security researchers found vulnerabilities in CocoaPods, allowing malicious code insertion and remote code execution. Pod owners were at risk of a zero-click takeover. CocoaPods issued patches, emphasizing the need for secure software development practices.

Unverified NPM Account Takeover Vulnerability for Sale on Dark Web Forum

Unverified NPM Account Takeover Vulnerability for Sale on Dark Web Forum

A threat actor is selling an unverified npm vulnerability for account takeover on BreachForums. npm has not confirmed the vulnerability. The dark web forum's reputation for cybercrime raises doubts. npm Registry is a prime target for attacks, emphasizing the need for security measures like enabling 2FA and code review.

Link Icon 4 comments
By @elchief - 4 months
The JFrog Security Research team has recently discovered and reported a leaked access token with administrator access to Python’s, PyPI’s and Python Software Foundation’s GitHub repositories, which was leaked in a public Docker container hosted on Docker Hub.

As a community service, the JFrog Security Research team continuously scans public repositories such as Docker Hub, NPM, and PyPI to identify malicious packages and leaked secrets. The team reports any findings to the relevant maintainers before attackers can take advantage of them. Although we encounter many secrets that are leaked in the same manner, this case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands – one could supposedly inject malicious code into PyPI packages (imagine replacing all Python packages with malicious ones), and even to the Python language itself!

The JFrog Security Research team identified the leaked secret and immediately reported it to PyPI’s security team, who revoked the token within a mere 17 minutes!

This post will explain how we found a GitHub PAT that provided access to the entire Python infrastructure and prevented a supply chain disaster. Using this case, we will discuss the importance of (also) shifting right in secrets detection – searching for secrets in binaries and production artifacts, not just on source code.

By @oakpond - 4 months
Yikes, TIL: never build production artifacts from a development checkout?
By @throwaway81523 - 4 months
Why did a leakable token this powerful even exist?
By @pjungwir - 4 months
How did JFrog know this github token was so powerful, compared to all the other ones I'm sure their scanner detects? What caused a human to get involved?