undefined | Better HN

0 pointsImustaskforhelp1d ago0 comments

> - Krrish

Was your account completely compromised? (Judging from the commit made by TeamPCP on your accounts)

Are you in contacts with all the projects which use litellm downstream and if they are safe or not (I am assuming not)

I am unable to understand how it compromised your account itself from the exploit at trivvy being used in CI/CD as well.

0 comments

detente181d ago

It was the PYPI_PUBLISH token which was in our github project as an env var, that got sent to trivvy.

We have deleted all our pypi publishing tokens.

Our accounts had 2fa, so it's a bad token here.

We're reviewing our accounts, to see how we can make it more secure (trusted publishing via jwt tokens, move to a different pypi account, etc.).

redrove1d ago

How did PYPI_PUBLISH lead to a full GH account takeover?

ezekg1d ago

I'd imagine the attacker published a new compromised version of their package, which the author eventually downloaded, which pwned everything else.

chunky19941d ago

Their Personal Access Token must’ve been pwned too, not sure through what mechanism though

1 more reply

franktankbank1d ago

Don't hold your breath for an answer.

mike_hearn1d ago

Perhaps it's too obvious but ... just running the publish process locally, instead of from CI, would help. Especially if you publish from a dedicated user on a Mac where the system keychain is pretty secure.

staticassertion1d ago

I'm not sure how. Their local system seems just as likely to get compromised through a `pip install` or whatever else.

In CI they could easily have moved `trivy` to its own dedicated worker that had no access to the PYPI secret, which should be isolated to the publish command and only the publish command.

1 more reply

tedivm1d ago

This problem is solved by not having a token. Github and PyPI both support OIDC based workflows. Grant only the publish job access to OIDC endpoint, then the Trivy job has nothing it can steal.

1 more reply

NewJazz1d ago

Are you spelling it with two vs on purpose?

redrove1d ago

>I am unable to understand how it compromised your account itself from the exploit at trivvy being used in CI/CD as well.

Token in CI could've been way too broad.

franktankbank1d ago

He would have to state he didn't in fact make all those commits and close the issue.

j / k navigate · click thread line to collapse

0 comments

detente181d ago

It was the PYPI_PUBLISH token which was in our github project as an env var, that got sent to trivvy.

We have deleted all our pypi publishing tokens.

Our accounts had 2fa, so it's a bad token here.

We're reviewing our accounts, to see how we can make it more secure (trusted publishing via jwt tokens, move to a different pypi account, etc.).

redrove1d ago

How did PYPI_PUBLISH lead to a full GH account takeover?

ezekg1d ago

I'd imagine the attacker published a new compromised version of their package, which the author eventually downloaded, which pwned everything else.

chunky19941d ago

Their Personal Access Token must’ve been pwned too, not sure through what mechanism though

1 more reply

franktankbank1d ago

Don't hold your breath for an answer.

mike_hearn1d ago

staticassertion1d ago

I'm not sure how. Their local system seems just as likely to get compromised through a `pip install` or whatever else.

In CI they could easily have moved `trivy` to its own dedicated worker that had no access to the PYPI secret, which should be isolated to the publish command and only the publish command.

1 more reply

tedivm1d ago

This problem is solved by not having a token. Github and PyPI both support OIDC based workflows. Grant only the publish job access to OIDC endpoint, then the Trivy job has nothing it can steal.

1 more reply

NewJazz1d ago

Are you spelling it with two vs on purpose?

redrove1d ago

>I am unable to understand how it compromised your account itself from the exploit at trivvy being used in CI/CD as well.

Token in CI could've been way too broad.

franktankbank1d ago

He would have to state he didn't in fact make all those commits and close the issue.

j / k navigate · click thread line to collapse