The popular Python package repository PyPI was found to host AWS keys and malware (opens in new tab)exposing countless Python developers to severe supply chain attacks.
the Results Courtesy of software engineer Tom Forbes, who used Rust to create a tool that scanned all new packages on PyPI for AWS API keys.
The tool came back with 57 positive results, including some from Amazon, Intel, Stanford, Portland and Louisiana University, the Australian government, General Atomics’ fusion division, Terradata, Delta Lake and Top Glove.
damage minimization
“This report includes the keys found, as well as a public link to the keys and other metadata about the release,” Forbes said. “Since these keys are committed to a public GitHub repository, GitHub’s Secret Scanning Service steps in and notifies AWS that the keys have been leaked.”
Consequently, AWS notifies the developer of the leak and quarantines it to minimize damage. The problem is that a tool like this was relatively easy to build, and while Forbes may be benevolent in its intentions, others may not be. Speak with The registryhe said that different keys can cause different degrees of pain:
“It depends on the exact permissions granted to the key itself,” Forbes explained. “The key I found was leaked by InfoSys [in November] had “full admin access” meaning it can do anything, and other keys I found in PyPI were “root keys” which are also allowed to do anything. An attacker who possessed these keys would have full access to the AWS account to which they are linked.”
He added that GitHub’s automated key scanning is a positive step forward, but not enough to fully address the issue:
“GitHub also cares a lot about supply chain security, but they dug a hole for themselves: the way they look for secrets requires a lot of collaboration with vendors who may disclose internal information about how keys are created at GitHub become,” he said. “This means that the regular expressions that GitHub uses to scan for secrets cannot be made public and are sensitive, which also means that third parties like PyPI are virtually incapable of using this great infrastructure without giving GitHub every bit of code published on PyPI to send. “
While he blamed PyPI and said the platform could do more to protect its users, he also said developers should take some responsibility for the security of their solutions. Furthermore, AWS should also be a part of the solution, he added: “Also, AWS has some to blame: IAM is notoriously difficult to debug and get right, resulting in overly broad permissions being granted on keys.”
To protect against supply chain attacks via PyPI, companies should reconsider their security policies, according to Forbes.
Above: The registry (opens in new tab)
