Hunting Leaked PyPI Tokens: 62 Live, 125 Packages Exposed
Blog post from GitGuardian
PyPI has been a recurring target in supply chain attacks, often due to the publication of malicious packages, prompting an investigation into exposed credentials. GitGuardian's Public Monitoring revealed numerous leaked PyPI tokens, primarily from GitHub and Docker Hub, with a significant number still valid and linked to active projects. Analysis of these tokens using the Python module pypitoken showed various restriction levels, providing insights into the associated projects and users. A surprising number of valid tokens persisted on GitHub despite existing scanning and revocation measures, suggesting potential gaps in GitHub's scanning coverage. Responsible disclosure to the PyPI security team led to the invalidation of these tokens and the development of new tools to facilitate future disclosures. The findings underscore the tangible risk posed by leaked PyPI tokens, emphasizing the need for proactive security measures, such as scanning for secrets, scoping tokens to specific projects, and ignoring sensitive files in version control to mitigate potential supply chain attacks.
| Trend | Post Mentions | Total Month Mentions | Posts | Companies | MoM |
|---|---|---|---|---|---|
| Secrets Management | 2 | 2,063 | 322 | 117 | -4% |