A GitHub token leak could have put the entire Python language at risk

What if Python was malicious?

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

What if thePythonprogramming language itself was malicious? It would be the most devastating supply chain attack in human history - but it almost happened after an important GitHub token was accidentally leaked.

Cybersecurity researchers from JFrog recently discovered a GitHub Personal Access Token in a public Docker container hosted on Docker Hub, which granted elevated access to the GitHub repositories of the Python language, Python Package Index (PyPI), and the Python Software Foundation (PSF).

“This case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands – one could supposedly injectmalicious codeinto PyPI packages (imagine replacing all Python packages with malicious ones), and even to the Python language itself,” the researchers said in their writeup.

Exposed for months

They added that they found the token inside a Docker container in a compiled Python file that was erroneously not cleaned up.

According to PyPI, the token was issued before March 3, 2023, but the exact date is impossible to determine since the logs only last for 90 days. PyPI Admin Ee Durbin was notified on June 28 this year, after which the token was revoked.

The Python package Index (PyPI), is the world’s number one source for Python packages. The open-source platform is a central hub for developers looking to publish and share their Python software and libraries with the community. As such, it is an extremely popular target for cybercriminals interested in supply-chain attacks. By sneaking malicious packages into the platform (or poisoning existing ones), cybercriminals can compromise hundreds of organizations in one fell swoop.

To make matters worse, many Fortune 100 companies use PyPI in their software products, includingGoogle,Microsoft,Amazon, andApple.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In late March 2024, the platform was forced to suspend new account and new project registrations to tackle a large-scale cyberattack in which threat actors tried to upload hundreds of malicious packages.

ViaTheHackerNews

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Rising AI threats are making firms turn back to human intelligence

Thousands of employees could be falling victim to obvious phishing scams every month

Google’s new AI video maker for businesses is now available on Workspace