The popular Python package repository PyPI was found to host AWS keys and malware (opens in new tab)putting countless Python developers at risk of serious supply chain attacks.
The Results comes courtesy of software developer Tom Forbes, who built a tool with Rust that scanned all new packages on PyPI for AWS API keys.
The tool came back with 57 positive results, including some from Amazon, Intel, Stanford, Portland and Louisiana University, the Australian Government, the fusion division of General Atomics, Terradata, Delta Lake, and Top Glove.
Minimize the damage
“This report contains the keys found, as well as a public link to the keys and other metadata about the release,” Forbes said. “Because these keys are committed to a public GitHub repository, Github’s Secret Scanning service kicks in and notifies AWS that the keys have been leaked.”
Consequently, AWS notifies the developer of the leak and quarantines it to minimize damage. The problem is that a tool like this was relatively easy to build, and while Forbes may be benign in its intentions, others may not be. Speak against The registerhe said that different keys can cause different levels of pain:
“It depends on the exact permissions given to the key itself,” explains Forbes. “The key I found leaked from InfoSys (in November) had ‘full admin access’ meaning it can do anything, and other keys I found in PyPI were ‘root keys’ which are also allowed to do anything. An attacker holding these keys would have full access to the AWS account it is associated with.”
He added that GitHub’s automated key scanning is a positive step forward, but not enough to address the problem in its entirety:
“GitHub also cares deeply about supply chain security, but they’ve dug themselves a hole: the way they scan for secrets requires a lot of collaboration with vendors who may release internal information about how keys are constructed to GitHub,” he said. This means that the regular expressions that GitHub uses to scan for secrets cannot be made public and are sensitive, which also means that third parties like PyPI effectively cannot use this great infrastructure without sending every piece of code published on PyPI to GitHub.”
While he blamed PyPI and said the platform could do more to protect its users, he also said developers should take some responsibility for the security of their solutions. Moreover, AWS should also be part of the solution, he added: “AWS also has a debt to share here: IAM is notoriously difficult to debug and get right, leading to overly broad permissions on keys.”
To protect against supply chain attacks via PyPI, Forbes says organizations need to rethink their security policies.
Through: The register (opens in new tab)
This content was originally published here.