Researchers from JFROG discovered a Python token that provided access to administrator rights for repositories Python, Pypi, and Python Software Foundation on GITHUB. The token was found in the binary file “__pycache__/bank”.
According to a message, the Pypi token was created in 2023 for the developer ewdurbin (EE DURBIN), who is part of the Python Software Foundation Organization’s infrastructure. The token granted administrator rights to all project repositories and organizations, including those of pypi, python, psf, and pypa. A Docker image with the token was published on March 3rd, 2023, and remained in the public domain for 16 months before being deleted on June 11, 2024. The token was withdrawn on June 28.
The issue arose when the developer of cabotage-app5 temporarily added their working token to a code due to access limitations encountered while developing tools to download files from GitHub. Although the token was removed before publishing the code, a reference to it remained in the compiled bytecode file, which made its way into the Docker image.