Python's near miss | Another big Supply Chain Outage
#151 - PyPi token exposed 🐍 | 300 cooperative banks in India face an outage
A personal access token used to access PyPi exposed for over a year
A token was exposed in a docker file for over a year, but hopefully not compromised
The Python Package Index (PyPI) is the official repository for Python software packages, allowing developers to publish and share their Python code with the community. It serves as the default source for package managers like pip, facilitating the installation and management of Python packages and their dependencies.
A Github personal access token that was on a docker file was not cleaned up. This token had elevated access to the Github repos of Python, PyPi and Python Software Foundation (PSF). If breached, this could have compromised Python.
Publicly exposed tokens are an increasing concern. In this case, there is no evidence that the exposed token was breached, but that’s not the point. It was exposed for months. A compromise would have been disastrous, to put it mildly.
PyPi’s attack vector has been prevalent for the last few years. Ever since nation state actors realized that changing publicly available code is a good attack vector, package indexes like PyPi and NPM have been on the radar.
Take Action:
There are two attack vectors to think about:
Exposed tokens of your team - these can be prevented by having strong secure development and strong DevSecOps processes. Using tools to detect exposed secrets also helps
Use of compromised libraries - these can be prevented by having a strong SBOM (Software Bill of Material) process
Ransomware attack at a vendor leaves 300 banks in India helpless
Not as big as Crowdstrike, but a huge outage nonetheless
C-Edge Technologies is a service providers to small banks in India. Cooperative banks are smaller banks that depend heavily on vendors for everything tech. C-Edge is a popular tech service provider that was formed by India’s largest software development company and India’s largest bank.
C-Edge faced a ransomware attack. It affected the ability of 300 small banks to make payments. Since the banks were quite small, it comprised only of 0.5% of total transactions.
Take Action:
Supply Chain Risk Management / Third Party Risk Management. This is a crucial part of the solution - but not the only piece. What do you do when you depend on one technology provider for all your core transactions? You cannot afford to have a backup. While you try to make your agreements as strong as possible, it is important to have a strong business continuity plan - a plan that has a clear direction to follow when your key vendor is unavailable. It’s not a unique problem. Manufacturers have been dealing with this problem for nearly a century now.