Security firm JFrog discovered and reported the leak, highlighting the potential danger if the token is misused. Attackers could inject malicious code into Python packages or the Python language.
Analysts write that this incident shows that simply sanitizing tokens in source code is not enough, credentials can also be embedded in environment variables, configuration files, and binaries.
The leak occurred when PSF’s Director of Infrastructure, Yi Durbin, added the access token to bypass GitHub API speed limits during builds. While the token was intended for local use only, it was inadvertently included in .pyc files and uploaded to Docker Hub. Following JFrog’s notification, PSF immediately revoked the token and said it “detected no evidence of malicious activity.”
Source: Ferra
I am a professional journalist and content creator with extensive experience writing for news websites. I currently work as an author at Gadget Onus, where I specialize in covering hot news topics. My written pieces have been published on some of the biggest media outlets around the world, including The Guardian and BBC News.
