Connect with us

Hi, what are you looking for?


Application Security

PyPI Packages Found to Expose Thousands of Secrets

GitGuardian discovered roughly 4,000 secrets in nearly 3,000 PyPI packages, including Azure, AWS, and GitHub keys.

An analysis of the Python code committed to PyPI packages has revealed the presence of thousands of hardcoded credentials, code security firm GitGuardian warns.

Working together with security researcher Tom Forbes, GitGuardian uncovered close to 4,000 unique secrets inside nearly 3,000 PyPI packages and says that more than 760 of these secrets were found to be valid.

Overall, the researchers identified 151 individual types of secrets, including AWS, Azure AD, GitHub, Dropbox, and Auth0 keys, credentials for MongoDB, MySQL, and PostgreSQL, and SSH, Coinbase, and Twilio Master credentials.

Valid credentials pose a critical and immediate threat to organizations, as threat actors can still exploit them, and validating leaked secrets becomes crucial in incident investigations.

According to GitGuardian, while they were able to validate less than 800 credentials, it does not mean that other leaked credentials are invalid.

“Only once a secret has been properly rotated can you know if it is invalid. Some types of secrets GitGuardian is still working toward automatically validating include Hashicorp Vault Tokens, Splunk Authentication Tokens, Kubernetes Cluster Credentials, and Okta Tokens,” the company notes.

The security firm also notes that the number of secrets leaked in PyPI packages has increased over time, and the inclusion of fresh, valid credentials is steadily increasing as well. More than 1,000 secrets have been added to PyPI over the past year alone.

What’s also alarming is the fact that any leaked secret is often included in multiple releases, which significantly increases the number of occurrences.

Advertisement. Scroll to continue reading.

“To put those numbers in perspective, there are over 450,000 projects released through the PyPI website, containing over 9.4 million files. There have been over 5 million released versions of these packages. If we add up all the secrets shared across all the releases, we found 56,866 occurrences of secrets,” the researchers note.

Most of the leaked secrets were identified in .py files, but configuration/documentation files such as .json and .yml, along with ‘readme’ files were also found to store credentials. The researchers also found hundreds of secrets in various files within test folders.

The main cause of secrets exposure in PyPI, GitGuardian notes, is accidental leakage. Accidentally published files are a more common issue compared to making an entire package public, and new releases are often pushed quickly to remove those files.

To prevent leaking secrets, Python developers are advised to avoid using unencrypted credentials in their packages and to always scan the code for secrets before a release, making sure that they never leave the local machine.

“Exposing secrets in open-source packages carries significant risks for developers and users alike. Attackers can exploit this information to gain unauthorized access, impersonate package maintainers, or manipulate users through social engineering tactics,” GitGuardian notes.

Related: Thousands of Popular Websites Leaking Secrets

Related: ‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks

Related: Millions of Exposed Artifacts Found in Misconfigured Cloud Software Registries

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.