PyPI Blog: Token Exfiltration Campaign via GitHub Actions Workflows (opens in new tab)

(blog.pypi.org)

76 pointsmiketheman9mo ago20 comments

20 comments

15 comments · 5 top-level

nodesocket9mo ago· 6 in thread

While Python being more widely used than JS, it's interesting the majority of attacks and breaches come from NPM. The consensus seems to be that Python offering a standard library greatly reduces the attack surface over JS. I tend to agree with this, a decently large Flask python app I am working on has 15 entries in requirements.txt (many of which being Flask plugins).

magnio9mo ago

https://www.sonatype.com/blog/pytorch-namespace-dependency-c...

https://socket.dev/blog/pypi-package-disguised-as-instagram-...

https://socket.dev/blog/monkey-patched-pypi-packages-steal-s...

https://socket.dev/blog/malicious-pypi-package-targets-disco...

https://socket.dev/blog/typosquatting-on-pypi-malicious-pack...

zahlman9mo ago

The most important packages in the Python world don't have a lot of their own dependencies. Numpy has none, for example. The bulk of Numpy is non-Python code and interfaces/wrappers for that; the standard library isn't AFAIK pulling a whole lot of weight there.

nwellnhof9mo ago

Numpy depends on BLAS and LAPACK.

1 more reply

kinow9mo ago

I also think the same. While in Java the stdlib lacks a few functions, long ago Apache Commons became the de-facto complement for the Java stdlib, being replaced/complemented by other libs over time, and eventually even becoming obsolete with newer versions of Java. But I always had the impression that having Apache Software Foundation components (with a good release/security process) helped Java to mitigate a lot of attacks.

o11c9mo ago

Javascript is also hindered by the fact that you have to "pay" for every library you download. This encourages a culture of reinventing the wheel, because "I don't need all that," preventing de-factor stdlib supplements from existing.

Hasnep9mo ago

The large attack surface with npm is partly because of all the transitive dependencies used, which means that even if you only pull in a dozen packages directly, you're also using hundreds of other packages. Running `pip freeze` will list a lot of transitive dependencies as well, but I'm sure it'll be less than an equivalent JS project.

zahlman9mo ago· 2 in thread

> Attackers targeted a wide variety of repositories, many of which had PyPI tokens stored as GitHub secrets, modifying their workflows to send those tokens to external servers. While the attackers successfully exfiltrated some tokens, they do not appear to have used them on PyPI.

It's wild to me that people entrust a third-party CI system with API secrets, and then also entrust that same system to run "actions" provided by other third parties.

blibble9mo ago

it's even worse that that

the CI system itself encourages you to import random third party code into your CI workflow, based on mutable tags

which then receives full privileges

the entire thing is insane

NeutralForest9mo ago

That's why I stick mostly with Github actions and pin the SHA of the commits instead of the tag version.

1 more reply

Liskni_si9mo ago· 2 in thread

If you can change a GitHub Actions workflow to exfiltrate a token, what prevents you from changing the workflow that uses Trusted Publishing to make changes to the package before publishing it? Perhaps by adding an innocent looking use of an external Action?

darkamaul9mo ago

Nothing.

However, exfiltrating a token is much more easy than modifying the workflow itself. A token is usually simply stored in an env variable.

Liskni_si9mo ago

In general, yes, it is easier to exfiltrate the token because if you can control some of the code that runs with the token available as an env var, you can do whatever.

In the specific case of the attack described in the blog post, though, the attackers added an extra GitHub Actions workflow that sent the token to an external server. That means they had enough privileges to change GHA workflows, and could just as easily change a workflow that used Trusted Publishing.

(It may be possible to configure branch protections or rules limiting who/when can trigger the Trusted Publishing workflow, but it's about as difficult as limiting the secret tokens to only be available to some maintainers.)

darkamaul9mo ago

Huge kudos to Mike for handling this attack and appropriately contacting the maintainers.

I’m also glad to see yet another case where having Trusted Publishing configured would have prevented the attack. That’s a cheap defense that has proven effective once again!

mikethemanOP9mo ago

Incident report of a recent attack campaign targeting GitHub Actions workflows to exfiltrate PyPI tokens, our response, and steps to protect your projects.

j / k navigate · click thread line to collapse

20 comments

15 comments · 5 top-level

nodesocket9mo ago· 6 in thread

magnio9mo ago

https://www.sonatype.com/blog/pytorch-namespace-dependency-c...

https://socket.dev/blog/pypi-package-disguised-as-instagram-...

https://socket.dev/blog/monkey-patched-pypi-packages-steal-s...

https://socket.dev/blog/malicious-pypi-package-targets-disco...

https://socket.dev/blog/typosquatting-on-pypi-malicious-pack...

zahlman9mo ago

nwellnhof9mo ago

Numpy depends on BLAS and LAPACK.

1 more reply

kinow9mo ago

o11c9mo ago

Hasnep9mo ago

zahlman9mo ago· 2 in thread

It's wild to me that people entrust a third-party CI system with API secrets, and then also entrust that same system to run "actions" provided by other third parties.

blibble9mo ago

it's even worse that that

the CI system itself encourages you to import random third party code into your CI workflow, based on mutable tags

which then receives full privileges

the entire thing is insane

NeutralForest9mo ago

That's why I stick mostly with Github actions and pin the SHA of the commits instead of the tag version.

1 more reply

Liskni_si9mo ago· 2 in thread

darkamaul9mo ago

Nothing.

However, exfiltrating a token is much more easy than modifying the workflow itself. A token is usually simply stored in an env variable.

Liskni_si9mo ago

In general, yes, it is easier to exfiltrate the token because if you can control some of the code that runs with the token available as an env var, you can do whatever.

darkamaul9mo ago

Huge kudos to Mike for handling this attack and appropriately contacting the maintainers.

I’m also glad to see yet another case where having Trusted Publishing configured would have prevented the attack. That’s a cheap defense that has proven effective once again!

mikethemanOP9mo ago

Incident report of a recent attack campaign targeting GitHub Actions workflows to exfiltrate PyPI tokens, our response, and steps to protect your projects.

j / k navigate · click thread line to collapse