In a discovery that could have led to a devastating supply chain attack, researchers from JFrog have uncovered a leaked GitHub token granting administrator access to Python’s core infrastructure. The token was found in a Docker image named “cabotage-app,” specifically within a binary file “pycache/build.cpython-311.pyc” containing cached compiled bytecode.
According to information from the PyPI blog post, the token was created in 2023 for Ee Durbin, the Director of Infrastructure at the Python Software Foundation. This high-privilege token provided administrator access to all project repositories and organizations, including those of pypi, python, psf, and pypa.
“The implications of someone finding this leaked token could be extremely severe,” the JFrog team reports. They outline potential attack scenarios, including inserting malicious code into CPython, which could potentially spread a backdoor to millions of machines worldwide, given Python’s popularity.
The problematic Docker image was published to Docker Hub on March 3, 2023, and remained publicly accessible for 16 months until its removal on June 11, 2024. The token was not revoked until June 28, 2024, leaving a significant window of potential exposure.
Interestingly, the available source code used to generate the problematic bytecode file does not contain the token. The developer explained that during the development of the cabotage-app5 toolkit, he temporarily added his working token to bypass GitHub API access limits. Although he removed the token before publishing the code, he overlooked its presence in the precompiled bytecode file.
The JFrog team provided a code snippet illustrating how the token might have been initially included:
def _fetch_github_file(
github_repository="owner/repo",
ref="main",
access_token="0d6a9bb5af126f73350a2afc058492765446aaad",
filename="Dockerfile",
):This incident underscores the importance of comprehensive secret scanning practices. As the JFrog team notes, “Scanning for secrets in source code is not enough. Modern IDEs and development tools effectively detect secrets in source code and prevent their leakage. However, their scope is limited to code and doesn’t include binary artifacts created by build and packaging tools.”
Fortunately, an audit conducted by Python developers revealed no third-party attempts to access repositories using the exposed token. However, the potential consequences were severe. As GitHub has been the primary platform for CPython development since 2017, an attacker with this token could have compromised the entire infrastructure used for Python development and the PyPI repository, potentially integrating backdoors into CPython and the PyPI package manager.
On a positive note, when informed of the leak, “PyPI’s security team responded very quickly by revoking it and responding to us just 17 minutes after we reached out to them,” the JFrog team reported.
