Security News > 2024 > July > GitHub Token Leak Exposes Python's Core Repositories to Potential Attacks

GitHub Token Leak Exposes Python's Core Repositories to Potential Attacks
2024-07-15 16:18

Cybersecurity researchers said they discovered an accidentally leaked GitHub token that could have granted elevated access to the GitHub repositories of the Python language, Python Package Index, and the Python Software Foundation repositories.

JFrog, which found the GitHub Personal Access Token, said the secret was leaked in a public Docker container hosted on Docker Hub.

An attacker could have hypothetically weaponized their admin access to orchestrate a large-scale supply chain attack by poisoning the source code associated with the core of the Python programming language, or the PyPI package manager.

Following responsible disclosure on June 28, 2024, the token - which was issued for the GitHub account linked to PyPI Admin Ee Durbin - was immediately revoked.

"While developing cabotage-app5 locally, working on the build portion of the codebase, I was consistently running into GitHub API rate limits," Durbin explained.

"These rate limits apply to anonymous access. While in production the system is configured as a GitHub App, I modified my local files to include my own access token in an act of laziness, rather than configure a localhost GitHub App. These changes were never intended to be pushed remotely."


News URL

https://thehackernews.com/2024/07/github-token-leak-exposes-pythons-core.html

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Github 13 3 43 30 17 93