GitHub 代幣外洩險些引發 Python 供應鏈攻擊

如果 Python 程式語言本身是惡意的怎麼辦？這將是人類歷史上最具破壞性的供應鏈攻擊 - 但它幾乎發生了

An important GitHub token was accidentally leaked, almost leading to the most devastating supply chain attack in human history.

一個重要的 GitHub 代幣意外洩露，差點引發人類歷史上最具破壞性的供應鏈攻擊。

Discovered by cybersecurity researchers from JFrog, the GitHub Personal Access Token was found in a public Docker container hosted on Docker Hub, and granted elevated access to the GitHub repositories of the Python language, Python Package Index (PyPI), and the Python Software Foundation (PSF).

JFrog 的網路安全研究人員發現，GitHub 個人存取權杖位於Docker Hub 上託管的公共Docker 容器中，並授予對Python 語言、Python 套件索引(PyPI) 和Python 軟體基金會(PyPI) 的GitHub 儲存庫的提升存取權限。

"This case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands – one could supposedly inject malicious code into PyPI packages (imagine replacing all Python packages with malicious ones), and even to the Python language itself," the researchers explained (opens in new tab) in their writeup.

「這個案例很特殊，因為如果它落入壞人之手，就很難高估潛在的後果——人們可能會將惡意程式碼注入到PyPI 套件中（想像一下用惡意套件替換所有Python 套件），甚至注入到Python 語言本身，」研究人員在他們的文章中解釋道（在新選項卡中打開）。

Exposed for months

暴露數月

The token was found inside a Docker container in a compiled Python file that was erroneously not cleaned up, they added.

他們補充說，該令牌是在 Docker 容器內一個已編譯的 Python 檔案中發現的，該檔案被錯誤地未清理。

According to PyPI, the token was issued before March 3, 2023, but the exact date is impossible to determine since the logs only last for 90 days. PyPI Admin Ee Durbin was notified on June 28 this year, after which the token was revoked.

根據 PyPI 的說法，該代幣是在 2023 年 3 月 3 日之前發行的，但由於日誌僅持續 90 天，因此無法確定確切的日期。 PyPI 管理員 Ee Durbin 於今年 6 月 28 日收到通知，此後該令牌被撤銷。

The Python Package Index (PyPI) is the world’s number one source for Python packages. The open-source platform is a central hub for developers looking to publish and share their Python software and libraries with the community. As such, it is an extremely popular target for cybercriminals interested in supply-chain attacks.

Python 套件索引 (PyPI) 是世界排名第一的 Python 套件來源。這個開源平台是希望與社群發布和分享 Python 軟體和函式庫的開發人員的中心樞紐。因此，對於對供應鏈攻擊感興趣的網路犯罪分子來說，它是一個非常受歡迎的目標。

By sneaking malicious packages into the platform (or poisoning existing ones), cybercriminals can compromise hundreds of organizations in one fell swoop.

透過將惡意軟體包潛入平台（或毒害現有軟體包），網路犯罪分子可以一舉攻破數百個組織。

To make matters worse, many Fortune 100 companies use PyPI in their software products, including Google, Microsoft, Amazon, and Apple.

更糟的是，許多財富 100 強公司在其軟體產品中使用 PyPI，包括Google、微軟、亞馬遜和蘋果。

In late March 2024, the platform was forced to suspend new account and new project registrations to tackle a large-scale cyberattack in which threat actors tried to upload hundreds of malicious packages.

2024 年 3 月下旬，該平台被迫暫停新帳戶和新專案註冊，以應對威脅行為者試圖上傳數百個惡意軟體包的大規模網路攻擊。