GitHub 代币泄露险些引发 Python 供应链攻击

如果 Python 编程语言本身是恶意的怎么办？这将是人类历史上最具破坏性的供应链攻击 - 但它几乎发生了

An important GitHub token was accidentally leaked, almost leading to the most devastating supply chain attack in human history.

一个重要的 GitHub 代币意外泄露，差点引发人类历史上最具破坏性的供应链攻击。

Discovered by cybersecurity researchers from JFrog, the GitHub Personal Access Token was found in a public Docker container hosted on Docker Hub, and granted elevated access to the GitHub repositories of the Python language, Python Package Index (PyPI), and the Python Software Foundation (PSF).

JFrog 的网络安全研究人员发现，GitHub 个人访问令牌位于 Docker Hub 上托管的公共 Docker 容器中，并授予对 Python 语言、Python 包索引 (PyPI) 和 Python 软件基金会 (PyPI) 的 GitHub 存储库的提升访问权限。 PSF）。

"This case was exceptional because it is difficult to overestimate the potential consequences if it had fallen into the wrong hands – one could supposedly inject malicious code into PyPI packages (imagine replacing all Python packages with malicious ones), and even to the Python language itself," the researchers explained (opens in new tab) in their writeup.

“这个案例很特殊，因为如果它落入坏人之手，就很难高估潜在的后果——人们可能会将恶意代码注入到 PyPI 包中（想象一下用恶意包替换所有 Python 包），甚至注入到 Python 语言本身，”研究人员在他们的文章中解释道（在新选项卡中打开）。

Exposed for months

暴露数月

The token was found inside a Docker container in a compiled Python file that was erroneously not cleaned up, they added.

他们补充说，该令牌是在 Docker 容器内一个已编译的 Python 文件中发现的，该文件被错误地未清理。

According to PyPI, the token was issued before March 3, 2023, but the exact date is impossible to determine since the logs only last for 90 days. PyPI Admin Ee Durbin was notified on June 28 this year, after which the token was revoked.

根据 PyPI 的说法，该代币是在 2023 年 3 月 3 日之前发行的，但由于日志仅持续 90 天，因此无法确定确切的日期。 PyPI 管理员 Ee Durbin 于今年 6 月 28 日收到通知，此后该令牌被撤销。

The Python Package Index (PyPI) is the world’s number one source for Python packages. The open-source platform is a central hub for developers looking to publish and share their Python software and libraries with the community. As such, it is an extremely popular target for cybercriminals interested in supply-chain attacks.

Python 包索引 (PyPI) 是世界排名第一的 Python 包来源。该开源平台是希望与社区发布和共享 Python 软件和库的开发人员的中心枢纽。因此，对于对供应链攻击感兴趣的网络犯罪分子来说，它是一个非常受欢迎的目标。

By sneaking malicious packages into the platform (or poisoning existing ones), cybercriminals can compromise hundreds of organizations in one fell swoop.

通过将恶意软件包潜入平台（或毒害现有软件包），网络犯罪分子可以一举攻破数百个组织。

To make matters worse, many Fortune 100 companies use PyPI in their software products, including Google, Microsoft, Amazon, and Apple.

更糟糕的是，许多财富 100 强公司在其软件产品中使用 PyPI，包括谷歌、微软、亚马逊和苹果。

In late March 2024, the platform was forced to suspend new account and new project registrations to tackle a large-scale cyberattack in which threat actors tried to upload hundreds of malicious packages.

2024 年 3 月下旬，该平台被迫暂停新帐户和新项目注册，以应对威胁行为者试图上传数百个恶意软件包的大规模网络攻击。