Accidental Leak of GitHub Token with High Privileges for Python Related Repositories

TapTechNews July 16, cyber security experts discovered an accidentally leaked GitHub token, which can access the Python language, the Python Package Index (PyPI), and the Python Software Foundation (PSF) repositories with the highest privileges.

The cyber security company JFrog said that this GitHub private access token was hosted in a public Docker container on DockerHub. TapTechNews attached the relevant content of the blog post as follows:

This security case is very special. If this token falls into the hands of criminals, its potential destructive power cannot be overstated. For example, attackers can inject malicious code into PyPI packages (and then upgrade all Python packages to replace them with malicious software), and even inject malicious code into the Python language itself.

JFrog found this authentication token in a compiled Python file (“build.cpython-311.pyc”) in an open Docker container and was created before March 3, 2023. Due to the expiration of the security log after 90 days, the specific creation date is not yet clear.

After JFrog disclosed this token on June 28, 2024, the relevant token was immediately revoked, and there is no evidence that this token has been exploited by hackers.