Leaked PyPI Tokens Expose 125 Packages to Potential Misuse

Leaked PyPI Tokens Expose 125 Packages to Potential Misuse

1h ago Blog.Gitguardianblog.pypi.org 72% similarity 51.9
Share:

Article Content

Browse articles
ThreatCluster

GitGuardian reported 62 active leaked PyPI tokens, affecting 125 packages on the platform. The tokens were primarily found on GitHub, with 19,586 occurrences identified, narrowing down to 3,714 unique tokens after filtering. The tokens, which are bearer tokens with specific restrictions, were mostly leaked in 2024. GitHub's scanning integration with PyPI, established in 2021, aims to revoke exposed tokens automatically. However, a significant number of tokens remain valid, indicating gaps in GitHub's scanning capabilities. The potential impact includes around 13,000 monthly downloads across affected packages. GitHub's recent enhancements to secret scanning may improve future detection and revocation of leaked tokens.

Key Points: • 62 active leaked PyPI tokens identified, affecting 125 packages. • Most tokens were leaked on GitHub, with a significant number remaining valid. • GitHub's integration with PyPI aims to revoke exposed tokens automatically.

ThreatCluster AI

Timeline

2021-01-01
GitHub-PyPI integration launched
GitHub's secret scanning integration with PyPI was completed, enabling automatic revocation of exposed tokens.
blog.pypi.org
2024-01-01
Major token leaks occur
A significant number of PyPI tokens were leaked on GitHub, with 2024 being a peak year for such incidents.
Blog.Gitguardian
2026-06-23
GitHub enhances secret scanning
GitHub announced improvements to its secret scanning capabilities, now covering issue titles and descriptions.
blog.pypi.org
2026-06-24
GitGuardian reports on leaked tokens
GitGuardian published findings on 62 active leaked PyPI tokens, revealing their potential impact on 125 packages.
Blog.Gitguardian

Extracted Entities

1 / 2

Community

Browse all →