The JFROG Security Research discovered tokens with administrative rights to repositories Github Python, Pypi, and Python Software Foundation. The token was found in a public Docker console on the Docker Hub platform.
The identified token provided administrative access to the entire Python infrastructure, including the Python Software Foundation, Pypi, and Cpython repositories. If the attackers gained access to these resources, they could conduct a large-scale attack on the supply chain, for example, introducing malicious code in Cpython, potentially spreading harmful software to millions of users worldwide.
Another possible scenario of the attack is the introduction of malicious code in the Pypi code repository, granting cybercriminals access to managing popular Pypi packages. Hackers could embed malicious code inside the packages or completely replace them, posing a significant threat.
The token was discovered inside the Docker container in the compiled Python File (Pycache/Build.cpython-311.pyc). The code’s author temporarily added an authorization token to the source code, compiled the code, but failed to remove the token from the compiled file. Subsequently, the developer included both the source code and the compiled PYC file in the Docker image with the token, leading to the token’s presence in the Docker image despite its absence in the source code.
The case highlighted the importance of thoroughly checking both source code and binary data in published Docker images to detect potential leaks. Malicious data may be hidden in binary files, making their detection more challenging but equally crucial.
The JFROG team promptly reported the leak of the Pypi security service token, and access was revoked in just 17 minutes, preventing a potential catastrophe. Pypi conducted a comprehensive check, confirming no suspicious activity related to the token. Pypi also shared incident details and preventive measures taken to safeguard against future breaches.