it House News on July 16th, network security experts discovered an accidentally leaked GitHub token. can access the Python language, Python Package Index (pypi) and Python Software Foundation (psf) repositories with the highest permissions.
Network security company jfrog stated that the github private access token is hosted in a public docker container on docker hub. IT House attached the relevant content of the blog post as follows:
This security case is very special. If the token falls into the hands of criminals, The destructive potential cannot be overstated. For example, an attacker can inject malicious code into the pypi package (and then upgrade all python packages to replace it with malware), or even inject malicious code into the python language itself.
jfrog The authentication token was found in a compiled python file ("build.cpython-311.pyc") of the public docker container. It was created before March 3, 2023. It is currently unclear because the security log has expired after 90 days. Specific creation date. After
jfrog disclosed the token on June 28, 2024, the relevant token was immediately revoked. There is no evidence that the token was used by hackers.
-
-
-
-
-
-
-
-
-
-