What if the Python programming language was malicious? It would be the most devastating supply chain attack in human history, but it almost happened after an important GitHub token was accidentally leaked.
JFrog cybersecurity researchers recently discovered a GitHub personal access token in a public Docker container hosted on Docker Hub, which granted elevated access to GitHub repositories for the Python language, Python Package Index (PyPI), and Python Software Foundation (PSF).
“This case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands: one could supposedly inject malicious code into PyPI packages (imagine replacing all Python packages with malicious packages), and even into the Python language itself,” the researchers said in their paper.
Exposed for months
They added that they found the token inside a Docker container in a compiled Python file that was mistakenly not cleaned up.
According to PyPI, the token was issued before March 3, 2023, but it is impossible to determine the exact date as registrations only last for 90 days. PyPI administrator Ee Durbin received the notification on June 28 this year, after which the token was revoked.
The Python Package Index (PyPI) is the world’s number one source for Python packages. The open-source platform is a central hub for developers looking to publish and share their Python software and libraries with the community. As such, it is an extremely popular target for cybercriminals interested in supply chain attacks. By introducing malicious packages to the platform (or poisoning existing ones), cybercriminals can compromise hundreds of organizations in one fell swoop.
To make matters worse, many Fortune 100 companies use PyPI in their software products, including Google, Microsoft, Amazon, and Apple.
In late March 2024, the platform was forced to suspend registration of new accounts and new projects to address a large-scale cyberattack in which threat actors attempted to upload hundreds of malicious packages.
Through Hackers News
