 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
Cryptocurrency News Articles
GitHub token leak almost led to Python supply chain attack
Jul 17, 2024 at 02:58 am
What if the Python programming language itself was malicious? It would be the most devastating supply chain attack in human history - but it almost happened
An important GitHub token was accidentally leaked, almost leading to the most devastating supply chain attack in human history.
Discovered by cybersecurity researchers from JFrog, the GitHub Personal Access Token was found in a public Docker container hosted on Docker Hub, and granted elevated access to the GitHub repositories of the Python language, Python Package Index (PyPI), and the Python Software Foundation (PSF).
"This case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands – one could supposedly inject malicious code into PyPI packages (imagine replacing all Python packages with malicious ones), and even to the Python language itself," the researchers explained (opens in new tab) in their writeup.
Exposed for months
The token was found inside a Docker container in a compiled Python file that was erroneously not cleaned up, they added.
According to PyPI, the token was issued before March 3, 2023, but the exact date is impossible to determine since the logs only last for 90 days. PyPI Admin Ee Durbin was notified on June 28 this year, after which the token was revoked.
The Python Package Index (PyPI) is the world’s number one source for Python packages. The open-source platform is a central hub for developers looking to publish and share their Python software and libraries with the community. As such, it is an extremely popular target for cybercriminals interested in supply-chain attacks.
By sneaking malicious packages into the platform (or poisoning existing ones), cybercriminals can compromise hundreds of organizations in one fell swoop.
To make matters worse, many Fortune 100 companies use PyPI in their software products, including Google, Microsoft, Amazon, and Apple.
In late March 2024, the platform was forced to suspend new account and new project registrations to tackle a large-scale cyberattack in which threat actors tried to upload hundreds of malicious packages.
Disclaimer:info@kdj.com
The information provided is not trading advice. kdj.com does not assume any responsibility for any investments made based on the information provided in this article. Cryptocurrencies are highly volatile and it is highly recommended that you invest with caution after thorough research!
If you believe that the content used on this website infringes your copyright, please contact us immediately (info@kdj.com) and we will delete it promptly.
-
-
-
- Vitalik Buterin's Patient Pursuit: Ethereum's Co-Founder Backs Privacy, Signaling a Long Wait for Foundational Crypto Strength
- Feb 07, 2026 at 05:53 pm
- Vitalik Buterin is quietly shaping crypto's future, backing privacy and long-term security over hype, hinting at a strategic "long wait" for a truly robust digital economy.
-
-
-
- Polymarket Gears Up for Crypto Token Launch: "POLY" Trademark Filings Signal Imminent Debut
- Feb 07, 2026 at 04:48 pm
- Polymarket, the prediction market leader, has filed trademarks for "POLY" and "$POLY", strongly indicating an upcoming crypto token launch and airdrop. This move aligns with previous executive statements and follows a period of significant platform growth.
-
-
-
