{"id":1239773,"date":"2024-07-15T15:57:14","date_gmt":"2024-07-15T17:57:14","guid":{"rendered":"https:\/\/teknomers.com\/fr\/une-fuite-de-jetons-github-expose-les-referentiels-principaux-de-python-a-des-attaques-potentielles\/"},"modified":"2024-07-15T15:57:18","modified_gmt":"2024-07-15T17:57:18","slug":"une-fuite-de-jetons-github-expose-les-referentiels-principaux-de-python-a-des-attaques-potentielles","status":"publish","type":"post","link":"https:\/\/teknomers.com\/fr\/une-fuite-de-jetons-github-expose-les-referentiels-principaux-de-python-a-des-attaques-potentielles\/","title":{"rendered":"Une fuite de jetons GitHub expose les r\u00e9f\u00e9rentiels principaux de Python \u00e0 des attaques potentielles"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">15 juillet 2024<\/span><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">R\u00e9daction<\/span><\/span><span class=\"p-tags\">Attaque de la cha\u00eene d&#8217;approvisionnement \/ cybermenace<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/07\/Une-fuite-de-jetons-GitHub-expose-les-referentiels-principaux-de.png\" style=\"clear: left; display: block; float: left; text-align: center;\"><\/a><\/div>\n<p>Des chercheurs en cybers\u00e9curit\u00e9 ont d\u00e9clar\u00e9 avoir d\u00e9couvert un jeton GitHub divulgu\u00e9 accidentellement qui aurait pu accorder un acc\u00e8s \u00e9lev\u00e9 aux r\u00e9f\u00e9rentiels GitHub du langage Python, Python Package Index (PyPI) et aux r\u00e9f\u00e9rentiels Python Software Foundation (PSF).<\/p>\n<p>JFrog, qui a d\u00e9couvert le jeton d&#8217;acc\u00e8s personnel GitHub, a d\u00e9clar\u00e9 que le secret avait \u00e9t\u00e9 divulgu\u00e9 dans un conteneur Docker public h\u00e9berg\u00e9 sur Docker Hub.<\/p>\n<p>\u00ab Ce cas \u00e9tait exceptionnel car il est difficile de surestimer les cons\u00e9quences potentielles s&#8217;il tombait entre de mauvaises mains \u2013 on pourrait soi-disant injecter du code malveillant dans les packages PyPI (imaginez remplacer tous les packages Python par des packages malveillants), et m\u00eame dans le langage Python lui-m\u00eame \u00bb, a d\u00e9clar\u00e9 la soci\u00e9t\u00e9 de s\u00e9curit\u00e9 de la cha\u00eene d&#8217;approvisionnement de logiciels. <a rel=\"nofollow noopener\" href=\"https:\/\/jfrog.com\/blog\/leaked-pypi-secret-token-revealed-in-binary-preventing-suppy-chain-attack\/\" target=\"_blank\">dit<\/a>.<\/p>\n<p>Un attaquant aurait pu hypoth\u00e9tiquement utiliser son acc\u00e8s administrateur pour orchestrer une attaque de cha\u00eene d\u2019approvisionnement \u00e0 grande \u00e9chelle en empoisonnant le code source associ\u00e9 au c\u0153ur du langage de programmation Python ou au gestionnaire de packages PyPI.<\/p>\n<div class=\"dog_two clear\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thehackernews.uk\/auditboard-it-risk-now\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/06\/Des-pirates-informatiques-lies-a-la-Chine-infiltrent-une-entreprise.png\" width=\"727\" height=\"90\"\/><\/a><\/center><\/div>\n<p>JFrog a not\u00e9 que le jeton d&#8217;authentification a \u00e9t\u00e9 trouv\u00e9 \u00e0 l&#8217;int\u00e9rieur d&#8217;un conteneur Docker, dans un fichier Python compil\u00e9 (\u00ab build.cpython-311.pyc \u00bb) qui n&#8217;a pas \u00e9t\u00e9 nettoy\u00e9 par inadvertance.<\/p>\n<p>Suite \u00e0 une divulgation responsable le 28 juin 2024, le jeton \u2013 qui a \u00e9t\u00e9 \u00e9mis pour le compte GitHub li\u00e9 \u00e0 l\u2019administrateur PyPI Ee Durbin \u2013 a \u00e9t\u00e9 imm\u00e9diatement r\u00e9voqu\u00e9. Il n\u2019existe aucune preuve que le secret ait \u00e9t\u00e9 exploit\u00e9 dans la nature.<\/p>\n<p>PyPI a d\u00e9clar\u00e9 que le jeton avait \u00e9t\u00e9 \u00e9mis avant le 3 mars 2023 et que la date exacte est inconnue en raison du fait que les journaux de s\u00e9curit\u00e9 ne sont pas disponibles au-del\u00e0 de 90 jours.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a rel=\"nofollow\" href=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/07\/1721066233_360_Une-fuite-de-jetons-GitHub-expose-les-referentiels-principaux-de.png\" style=\"clear: left; display: block; float: left; text-align: center;\"><img decoding=\"async\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/07\/1721066233_360_Une-fuite-de-jetons-GitHub-expose-les-referentiels-principaux-de.png\" alt=\"\" border=\"0\" data-original-height=\"220\" data-original-width=\"863\"\/><\/a><\/div>\n<p>\u00ab Lors du d\u00e9veloppement local de cabotage-app5, en travaillant sur la partie build de la base de code, je me heurtais constamment aux limites de d\u00e9bit de l&#8217;API GitHub \u00bb, a d\u00e9clar\u00e9 Durbin. <a rel=\"nofollow noopener\" href=\"https:\/\/checkmarx.com\/blog\/malicious-python-packages-reveal-extensive-cybercriminal-operation-based-in-iraq\/\" target=\"_blank\">expliqu\u00e9<\/a>.<\/p>\n<p>\u00ab Ces limites de d\u00e9bit s&#8217;appliquent \u00e0 l&#8217;acc\u00e8s anonyme. Alors qu&#8217;en production, le syst\u00e8me est configur\u00e9 comme une application GitHub, j&#8217;ai modifi\u00e9 mes fichiers locaux pour inclure mon propre jeton d&#8217;acc\u00e8s dans un acte de paresse, plut\u00f4t que de configurer une application GitHub locale. Ces modifications n&#8217;ont jamais \u00e9t\u00e9 destin\u00e9es \u00e0 \u00eatre appliqu\u00e9es \u00e0 distance. \u00bb<\/p>\n<p>Cette r\u00e9v\u00e9lation intervient alors que Checkmarx a d\u00e9couvert une s\u00e9rie de packages malveillants sur PyPI, con\u00e7us pour exfiltrer des informations sensibles vers un bot Telegram sans le consentement ou la connaissance des victimes.<\/p>\n<section class=\"dog_two clear\"><center class=\"cf\"><a rel=\"nofollow noopener\" href=\"https:\/\/thehackernews.uk\/encrypted-drives-d\" target=\"_blank\" title=\"Cybersecurity\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"La cyber-s\u00e9curit\u00e9\" src=\"https:\/\/teknomers.com\/fr\/wp-content\/uploads\/2024\/07\/Des-failles-critiques-non-corrigees-ont-ete-revelees-dans-le.gif\" width=\"727\" height=\"90\"\/><\/a><\/center><\/section>\n<p>Les packages en question \u2013 testbrojct2, proxyfullscraper, proxyalhttp et proxyfullscrapers \u2013 fonctionnent en analysant le syst\u00e8me compromis \u00e0 la recherche de fichiers correspondant \u00e0 des extensions telles que .py, .php, .zip, .png, .jpg et .jpeg.<\/p>\n<p>\u00ab Le bot Telegram est li\u00e9 \u00e0 de multiples op\u00e9rations cybercriminelles bas\u00e9es en Irak \u00bb, a d\u00e9clar\u00e9 Yehuda Gelb, chercheur chez Checkmarx. <a rel=\"nofollow noopener\" href=\"https:\/\/blog.pypi.org\/posts\/2024-07-08-incident-report-leaked-admin-personal-access-token\/\" target=\"_blank\">dit<\/a>notant que l&#8217;historique des messages du bot remonte \u00e0 2022.<\/p>\n<p>\u00ab Le bot fonctionne \u00e9galement comme un march\u00e9 clandestin proposant des services de manipulation des r\u00e9seaux sociaux. Il a \u00e9t\u00e9 li\u00e9 au vol financier et exploite les victimes en exfiltrant leurs donn\u00e9es. \u00bb<\/p>\n<p><\/p>\n<div class=\"cf note-b\">Vous avez trouv\u00e9 cet article int\u00e9ressant ? Suivez-nous sur <a rel=\"nofollow noopener\" href=\"https:\/\/twitter.com\/thehackersnews\" target=\"_blank\">Twitter <i class=\"icon-font icon-twitter\">\uf099<\/i><\/a>  et <a rel=\"nofollow noopener\" href=\"https:\/\/www.linkedin.com\/company\/thehackernews\/\" target=\"_blank\">LinkedIn<\/a> pour lire davantage de contenu exclusif que nous publions.<\/div>\n<\/div>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><br \/>\n<br \/><br \/>\n<br \/><a href=\"https:\/\/thehackernews.com\/2024\/07\/github-token-leak-exposes-pythons-core.html\" rel=\"nofollow noopener\" target=\"_blank\">ttn-fr-57<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ue80215 juillet 2024\ue804R\u00e9dactionAttaque de la cha\u00eene d&#8217;approvisionnement \/ cybermenace Des chercheurs en cybers\u00e9curit\u00e9 ont d\u00e9clar\u00e9 avoir d\u00e9couvert un jeton GitHub divulgu\u00e9 accidentellement qui aurait pu accorder un acc\u00e8s \u00e9lev\u00e9 aux r\u00e9f\u00e9rentiels GitHub du langage Python, Python Package Index (PyPI) et aux r\u00e9f\u00e9rentiels Python Software Foundation (PSF). JFrog, qui a d\u00e9couvert le jeton d&#8217;acc\u00e8s personnel GitHub, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1239774,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[238714,200292,238582,240744,238778,8074,4168,4165,133,16209,7748,50438,50440,65,238584,200271,238334,98340,23436,11630,39385,58986,238617,4172,4169,196,4166,238583],"class_list":["post-1239773","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technologie","tag-actualites-des-hackers","tag-actualites-sur-la-cybersecurite","tag-actualites-sur-la-cybersecurite-aujourdhui","tag-actualites-sur-le-cyberespace","tag-actualites-sur-le-piratage-informatique","tag-attaques","tag-comment-pirater","tag-cyber-attaques","tag-des","tag-expose","tag-fuite","tag-github","tag-jetons","tag-les","tag-les-nouvelles-des-hackers","tag-logiciel-malveillant-rancongiciel","tag-mises-a-jour-cybernetiques","tag-mises-a-jour-de-cybersecurite","tag-potentielles","tag-principaux","tag-python","tag-referentiels","tag-securite-de-linformation","tag-securite-informatique","tag-securite-internet","tag-une","tag-violation-de-donnees","tag-vulnerabilite-du-logiciel"],"_links":{"self":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1239773","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/comments?post=1239773"}],"version-history":[{"count":0,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/posts\/1239773\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media\/1239774"}],"wp:attachment":[{"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/media?parent=1239773"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/categories?post=1239773"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/teknomers.com\/fr\/wp-json\/wp\/v2\/tags?post=1239773"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}