Cybersecurity researchers said they discovered an accidentally leaked GitHub token that could have granted elevated access to the GitHub repositories of the Python language, Python Package Index (PyPI), and the Python Software Foundation (PSF) repositories. JFrog, which found the GitHub Personal Access Token, said the secret was leaked in a public Docker container hosted on Docker Hub. "This case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands – one could supposedly inject malicious code into PyPI packages (imagine replacing all Python packages with malicious ones), and even to the Python language itself," the software supply chain security company said. An attacker could have hypothetically weaponized their admin access to orchestrate a large-scale supply chain attack by poisoning the source code associated with the core of the Python programming language, or the PyPI package manager. JFrog noted that the authentication token was found inside a Docker container, in a compiled Python file ("build.cpython-311.pyc") that was inadvertently not cleaned up. Following responsible disclosure on June 28, 2024, the token – which was issued for the GitHub account linked to PyPI Admin Ee Durbin – was immediately revoked. There is no evidence that the secret was exploited in the wild. PyPI said the token was issued sometime prior to March 3, 2023, and that the exact date is unknown due to the fact that security…Read More