A leaked GitHub access token with administrator access to the centralized PyPI repository and the Python Software Foundation’s GitHub repository could have had disastrous consequences if not rapidly revoked.
Researchers at JFrog revealed the leaked token could have been used in a variety of different supply chain attacks, adding that the potential damage a cyber criminal could have inflicted would have been severe.
JFrog’s secret scanning engine found the authentication token in a compiled Python file inside a Docker container.
Speaking to ITPro, Brian Moussalli, malware research team leader at JFrog, noted this is something of a novel development and he had not seen access tokens leaked in this manner before.
“I’m not aware of any similar cases where tokens with such high privileges were leaked on a public repository," he said. "I think there were cases where tokens were leaked as part of distributed software, but in this case it was some sort of accident that happened due to the developer or PyPI admin developing some sort of internal tool for the deployment of PyPI servers and they uploaded it to Docker Hub for some reason."
“What happened is that they used the token in the source code and they ran it, and then when they uploaded it to Docker Hub they thought they had removed all traces to the sensitive token but, in fact, it was found in a binary file, which is produced after executing the actual code. So I don’t remember any such case where a leak happened as some byproduct of someone’s internal work.”
David Sancho, senior threat researcher at Trend Micro, added that the software supply chain has seen a number of attacks leveraging malicious software updates to install malware on millions of devices, such as the NotPetya or SolarWinds attacks.
However, the overall popularity of this attack is limited by its complexity.
“This attack vector is not something we’re seeing commonly pursued because it’s very difficult to pull off, but it’s certainly very interesting to would-be attackers and on their radar as an appealing route to compromise organizations.”
Leaked GitHub access token provided “endless” opportunities for attackers
The report underlined how serious this incident could have been if successfully exploited by hackers.
“Due to the popularity of Python, inserting malicious code that would eventually end up in Python’s distributables could mean spreading your backdoor to tens of millions of machines worldwide!”
JFrog highlighted one potential attack path involving hiding malicious code in CPython, the repository containing many of the basic libraries at the core of the Python programming language, compiled from C code.
This malicious insertion could then be packed and distributed in various forms to official Python binaries, upstream for Linux distribution packages such as Ubuntu or Alpine, or to people developers from source code tarballs.
RELATED WHITEPAPER
In another example, JFrog raised another potential attack vector where hackers insert malicious code into PyPI’s Warehouse code, which underpins the PyPI package manager.
“Imagine an attacker inserting code that grants them a backdoor to PyPI’s storage, allowing them to manipulate very popular PyPI packages, hiding malicious code inside them, or replacing them altogether. Although this is not the most sophisticated way to carry out an attack that would remain undetected for a long time, it’s certainly a scary scenario.”
Moussalli concluded the token would have presented hackers with numerous opportunities to perpetrate further cyber attacks.
“If someone were to put a backdoor on PyPI, the possibilities are endless in terms of distributing malicious packages. I could have replaced all the popular packages on PyPI with a malicious package with some sort of backdoor or Trojan or whatever,” he added.
So one direction could be the Python language itself, and the other would be the Python packages index where I could have attacked any given package.”
PyPI’s quick response “crucial” to prevent disaster
JFrog commended PyPI for the urgency with which it addressed the issue, taking just 17 minutes to revoke the token after JFrog reached out to them.
It noted that the organization conducted a “thorough check” and found there was no suspicious activity using the token in question.
Moussalli described the importance of responding to incidents of this scale in a timely manner.
“I think there’s no other word to describe it other than crucial. It’s crucial that they would be quick to respond and assess whether or not they have been impacted and if anyone tried or succeeded in using this token, auditing, going over logs to see if it was used and if some perpetrator was able to take advantage of this leak.”
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Organizations urged to act fast after GitHub Action supply chain attackNews More than 20,000 organizations may be at risk following a supply chain attack affecting tj-actions/changed-files GitHub Action.
-
Nearly a million devices were infected in a huge GitHub malvertising campaignNews Microsoft has alerted users to a malvertising campaign leveraging GitHub to infect nearly 1 million devices around the world.
-
'GitVenom' campaign uses dodgy GitHub repositories to spread malwareNews Security researchers have issued an alert over a campaign using GitHub repositories to distribute malware, with users lured in by fake projects.
-
Malicious GitHub repositories target users with malwareNews Criminals are exploiting GitHub's reputation to install Lumma Stealer disguised as game hacks and cracked software
-
Hackers have found yet another way to trick devs into downloading malware from GitHubNews Threat actors have developed a new way to covertly embed malicious files into legitimate repositories on both GitHub and GitLab using the comment section
-
Hackers are abusing GitHub's search function to spread malwareNews Hackers are using the names of popular GitHub repositories to trick users into downloading malicious code, new research reveals.
-
Hackers take advantage of AI hallucinations to sneak malicious software packages onto enterprise repositoriesNews New research reveals a novel attack path where threat actors could leverage nonexistent open-source packages hallucinated by models to inject malware into enterprise repositories
-
Hackers are spoofing themselves as GitHub's Dependabot to steal user passwordsNews GitHub Dependabot was crudely spoofed in hundreds of successful attacks on open source projects
