The Ultimate Guide to Non-Human Identities Report

PyPI Breach

NHI Mgmt Group

Overview

In November 2023, a significant security incident was uncovered involving the exposure of thousands of hardcoded secrets in packages hosted on the Python Package Index (PyPI). This incident revealed that thousands of PyPI packages contained hardcoded secrets, such as API keys, database credentials, and authentication tokens, posing severe security risks to developers and organizations using these packages in production environments. These secrets, many of which were still active, posed substantial security risks for both developers and organizations relying on these packages.

What is PyPl?

The Python Package Index (PyPI) serves as the primary package repository for the Python community, enabling developers to share and integrate third-party code efficiently. With open-source packages constituting up to 90% of production code, they have become a cornerstone of modern software development. However, this extensive reliance introduces significant security risks, particularly when vulnerabilities such as hardcoded credentials are present. Given the widespread adoption of these packages, any minor security flaw can propagate rapidly across dependent systems, leading to potentially severe breaches.

What Went Wrong?

PyPI, as a central repository for Python packages, is widely used by developers to distribute and download libraries for various applications. During a comprehensive security scan, thousands of secrets were uncovered within public PyPI packages. These secrets included:

  • API Keys: For cloud services such as AWS, Azure, and Google Cloud.

  • Database Credentials: Connection strings to production and staging environments.

  • Access Tokens: For third-party integrations, CI/CD pipelines, and internal tools.

These secrets, inadvertently or maliciously embedded in code, can be exploited by attackers to gain unauthorized access to critical systems, disrupt operations, or further infiltrate an organization's network.

Discovered Credentials - Source GitGuardian

How Was It Discovered?

The issue was identified during an analysis of open-source packages using automated scanning tools configured to detect sensitive information. The tools flagged several high-profile packages, which prompted a deeper investigation:

  1. Scanning Repository Histories: Version control histories revealed that some secrets were committed as early as the initial versions of the affected packages.

  2. Pattern Matching: The scans identified credentials through common patterns, such as AWS keys (AKIA.), Base64-encoded tokens, and other identifiable formats.

  3. Recurrent Findings: Many secrets were discovered not just in package code but also in configuration files, test scripts, and dependency declarations.

The investigation uncovered over 5,000 unique secrets across thousands of packages, some of which had millions of downloads.

Root Causes

The presence of secrets in PyPI packages can be attributed to several factors:

  1. Poor Development Practices - Developers frequently hardcode credentials in scripts or use them in local testing without sanitizing them before committing to version control.

  2. Misconfigured CI/CD Pipelines - In some cases, credentials used in automated pipelines inadvertently leaked through logs or configuration files uploaded to PyPI.

  3. Inadequate Secret Management Tools - Many teams lack robust tools to detect and manage secrets during development, leading to unintended exposure.

Potential Impact

Exposed secrets in PyPI packages represent a major supply chain vulnerability. Attackers can exploit these credentials to infiltrate organizations, pivot through infrastructure, or deploy further malicious payloads. Since PyPI is widely used in the Python development community, any compromised package can have a cascading effect across thousands of dependent projects.

Lessons For the Future

  • Use Secrets Detection Solutions - Automated tools like can detect secrets embedded in source code and prevent them from being committed.

  • Educate Developers - Training developers in secure coding practices and emphasizing the dangers of hardcoding secrets is critical.

  • Establish Security Policies - Implement policies for periodic credential rotation, monitoring, and access restriction.

  • Centralized Secret Management - Implement secure secret storage solutions with strict access controls.

Conclusion

This incident highlights the ongoing challenges of securing credentials in open-source environments and emphasizes the need for better practices, such as using secure secret management tools and regularly auditing dependencies.

Addressing these issues is essential to safeguarding the future of open-source development and preventing similar incidents in the future. Secure coding practices and proactive security measures are critical for protecting the integrity and security of the software supply chain.

About Glossary

Terms & Conditions Privacy policy

Non-Human Identity Mgmt Group

The Non-Human Identity Management Group is the #1 Authority for research and education on Non-Human Identity risks. We provide Independent guidance and expert advice to organizations, helping them understand, manage and secure these huge risks effectively.

Subscribe to our Newsletter

Subscribe

© 2024

Contact us if you would like to get some independent guidance and advice on how to start tackling Non-Human Identity Risks.