November 14, 2023 at 07:09AM
Code security firm GitGuardian has discovered thousands of hardcoded credentials in Python code committed to PyPI packages. Over 4,000 unique secrets were found in nearly 3,000 packages, with more than 760 of them being valid. The leaked secrets included keys and credentials for popular services such as AWS, Azure AD, GitHub, Dropbox, and MongoDB. The security firm warns that these credentials pose an immediate threat to organizations and recommends validating leaked secrets through incident investigations. Developers are advised to avoid using unencrypted credentials and to scan code for secrets before releasing packages.
GitGuardian, a code security firm, has analyzed Python code committed to PyPI packages and discovered thousands of hardcoded credentials. Working with security researcher Tom Forbes, GitGuardian found close to 4,000 unique secrets in nearly 3,000 PyPI packages, with over 760 of them being valid. These credentials include keys for AWS, Azure AD, GitHub, Dropbox, and Auth0, as well as credentials for MongoDB, MySQL, PostgreSQL, and more.
Valid credentials pose an immediate threat as threat actors can exploit them. GitGuardian emphasizes that leaked credentials that have not been properly rotated may still be valid. The security firm also notes that the number of secrets leaked in PyPI packages has been on the rise, with over 1,000 secrets added in the past year alone.
One concerning aspect is that leaked secrets are often included in multiple releases, significantly increasing the number of occurrences. For example, GitGuardian found 56,866 occurrences of secrets across PyPI releases. Most leaked secrets were found in .py files, but they were also present in configuration/documentation files like .json and .yml, as well as ‘readme’ files and test folders.
The main cause of secrets exposure in PyPI is accidental leakage, with accidentally published files being a more common issue than making an entire package public. To prevent leaking secrets, Python developers are advised to avoid using unencrypted credentials, scan the code for secrets before releasing, and make sure secrets never leave the local machine.
Exposing secrets in open-source packages carries significant risks for developers and users, as attackers can gain unauthorized access, impersonate package maintainers, or manipulate users through social engineering tactics.