Summary:
-
A personal GitHub access token with administrative privileges for Python’s repositories was exposed for over a year in a Docker Hub image.
-
The token, belonging to Python Software Foundation’s infrastructure director, highlights risks beyond source code, including environment variables, configuration files, and binary artifacts.
-
JFrog security researchers emphasize the potential consequences if such tokens fall into the wrong hands, including injecting malicious code into PyPI packages and even Python itself.
!