Security News > 2024 > July > GitHub Token Leak Exposes Python's Core Repositories to Potential Attacks
Cybersecurity researchers said they discovered an accidentally leaked GitHub token that could have granted elevated access to the GitHub repositories of the Python language, Python Package Index, and the Python Software Foundation repositories.
JFrog, which found the GitHub Personal Access Token, said the secret was leaked in a public Docker container hosted on Docker Hub.
An attacker could have hypothetically weaponized their admin access to orchestrate a large-scale supply chain attack by poisoning the source code associated with the core of the Python programming language, or the PyPI package manager.
Following responsible disclosure on June 28, 2024, the token - which was issued for the GitHub account linked to PyPI Admin Ee Durbin - was immediately revoked.
"While developing cabotage-app5 locally, working on the build portion of the codebase, I was consistently running into GitHub API rate limits," Durbin explained.
"These rate limits apply to anonymous access. While in production the system is configured as a GitHub App, I modified my local files to include my own access token in an act of laziness, rather than configure a localhost GitHub App. These changes were never intended to be pushed remotely."
News URL
https://thehackernews.com/2024/07/github-token-leak-exposes-pythons-core.html
Related news
- New Gitloker attacks wipe GitHub repos in extortion scheme (source)
- New York Times source code stolen using exposed GitHub token (source)
- Gitloker attacks abuse GitHub notifications to push malicious oAuth apps (source)
- Users of JetBrains IDEs at risk of GitHub access token compromise (CVE-2024-37051) (source)
- JetBrains warns of IntelliJ IDE bug exposing GitHub access tokens (source)