Significant software supply chain attacks could have been deployed with the potential infiltration of the GitHub repositories for the Python programming language, Python Package Index, and Python Software Foundation via an accidentally exposed GitHub authentication token, according to The Hacker News.
PyPi has immediately moved to revoke the authentication token, which had been given to PyPI Admin EE Durbin before March 3, 2023, reported JFrog researchers. Durbin noted the continuous appearance of GitHub API rate limits upon developing a portion of the codebase for cabotage-app5. "While in production the system is configured as a GitHub App, I modified my local files to include my own access token in an act of laziness, rather than configure a localhost GitHub App. These changes were never intended to be pushed remotely," said Durbin. Such a development follows a Checkmarx report detailing malicious PyPI packages that have been leveraged for data exfiltration to an Iraq-linked Telegram bot.