Whereas Durbin knew that including private entry tokens (PATs) to supply code is dangerous security apply, the change was solely to his native copy of the codebase and was by no means meant to be pushed remotely. In actual fact, the automated construct and deployment script was alleged to revert native modifications, which ought to have scrubbed the token.
What Durbin didn’t understand was that the token was additionally included in .pyc (Python compiled bytecode) information generated as a part of the construct course of, and that these information, saved within the __pycache__ folder, weren’t configured to be excluded from the ultimate Docker picture uploaded to Docker Hub.
After being notified by JFrog in late June, the PyPI security crew revoked the token and reviewed all GitHub audit logs and account exercise for attainable indicators that the token might need been used maliciously. No proof of malicious use was discovered. The cabotage-app model containing the token was revealed on Docker Hub on March 3, 2023, and was eliminated on June 21, 2024 — fifteen months later.
