Security research team claims to have helped avert a major supply chain attack

Share post:

JFrog Security Research team continuously scans public repositories such as Docker Hub, NPM, and PyPI to identify malicious packages and leaked secrets. The company does this as a public service and when weaknesses are found, the team reports their findings to the maintainers of these repositories before attackers can take advantage of them.

This team claims that in the course of this activity, they have helped to thwart what could have been a catastrophic breach.

They discovered a leaked GitHub access token with admin access to Python’s infrastructure in a public Docker container. This token, found in a compiled Python file, could have enabled severe supply chain attacks on PyPI and Python itself.

The team reported it to PyPI, who acted extremely quickly, revoking the token within 17 minutes and according to the researchers, prevented potential disaster.

This incident underscores the importance of ensuring that proper practices are in place not only with the maintainers of the code, but also that any company using these sources also have their own sophisticated due diligence. That due diligence includes what the authors referred to as “shifting right” – in this case looking for “secrets” in the binaries and production artifacts and not just in the source code.

But it also points out the necessity for ensuring the principle of least access is followed in every case, but especially where there is wide and frequent use. The compromise of the GitHub PAT that they detected would have provided access to the entire Python Infrastructure, and may have facilitated a “supply chain disaster.”

Moreover, they found what is referred to as a “classic” GitHub token in one of the public Docker Hub repositories. These “classic” tokens grant similar permissions across all repositories the user has access to. Newer tokens, have more “fine grained” access.

In the case they detected, the user had admin access to the core repositories of Python’s infrastructure, including Python Software Foundation (PSF), PyPI, the Python language and CPython – hence the potential for an enormous compromise.

While this was, thankfully, detected and quick action was taken to fix the problem, it is hopefully a lesson that will be widely shared.

More information can be found at jFrog’s site.



Related articles

Amazon reviews losing trust as number of fake reviews are uncovered

Amazon's customer review system, once trusted for its verified buyer opinions, is increasingly under scrutiny as more and...

Apple Vision Pro U.S. sales plummet

Apple's Vision Pro headset, priced at $3,500, is experiencing a significant drop in U.S. sales. Market analysts report...

Phishing attacks on state and local governments surge by 360%

Phishing attacks targeting state and local governments have surged by 360% between May 2023 and May 2024, according...

What is Ticketmaster saying to its customers?

Here's the letter that has been sent out out to Ticketmaster clients that a reader sent to me....

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways