Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket

Security News

Python Software Foundation Responds to GitHub Token Leak, Elects New Board Members, and Announces Key Infrastructure Hires

In July, the Python Software Foundation mounted a quick response to address a leaked GitHub token, elected new board members, and added more members to the team supporting PSF and PyPI infrastructure.

Python Software Foundation Responds to GitHub Token Leak, Elects New Board Members, and Announces Key Infrastructure Hires

Sarah Gooding

July 17, 2024


July has been a busy month for the Python Software Foundation (PSF). Last week, researchers at JFrog discovered and reported a leaked access token with administrator access to GitHub repositories that are critical for the Python ecosystem. PyPI Admin and PSF Director of Infrastructure Ee Durbin inadvertently leaked a “classic” GitHub token in a public Docker container, which granted admin access across all repositories - including those for Python’s infrastructure, the PSF, PyPI, the Python language and CPython.

The PSF mounted a quick response and was able to revoke the token within 17 minutes of its security team being notified, averting what could have potentially become a massive supply chain attack affecting the entire Python ecosystem. At this time there are no indicators of malicious activity associated with the token.

“This is a great reminder to set aggressive expiration dates for API tokens (If you need them at all), treat .pyc files as if they were source code, and perform builds on automated systems from clean source only,” Durbin said in the incident report on the PyPI blog.

PSF Expands Infrastructure Team#

Securing the Python ecosystem is a massive endeavor that has so far been the responsibility of just a handful of paid staff. This month the PSF added more members to the team supporting its infrastructure.

Jacob Coffee, maintainer of the Litestar organization and contributors to several popular packages, joined as an Infrastructure Engineer. He joins Durbin in sharing the responsibility of maintaining the PSF systems and services for the Python community, CPython development, and internal operations, expanding the team’s capacity to take on new infrastructure initiatives.

Maria Ashna is joining the team as a PyPI Support Specialist and will be focused on supporting critical Python Package Index (PyPI) services.

“Over the past 23 years, PyPI has seen essentially exponential growth in traffic and users, relying for the most part on volunteers to support it,” Durbin said about the new team additions. “With the addition of requirements to keep all Python maintainers and users safe, our support load has outstretched our support resources for some time now. The Python Software Foundation committed to hiring to increase this capacity in April and we’re excited to have Maria on board to begin providing crucially needed support.”

PSF Elects New Board Members#

Today the PSF announced its newly elected board members and the proposed changes to the bylaws. PSF Executive Director Deb Nicholson thanked outgoing members who were instrumental in “bringing PyCon US into an age of hybrid events, responding to calls from our community for transparency, and hiring multiple new staff members to continue to improve our organization.”

The new board members include Tania Allard, KwonHan Bae, and Cristián Maureira-Fredes. In 2025, the foundation will have four seats open again.

For this year’s election, PSF received 611 total votes, which was more than needed to reach the quorum of 1/3 of 794 affirmed voting members. The approved changes to the foundation’s bylaws improve the Python community’s governance and transparency. These recent strategic adjustments, coupled with the new PSF hires, ensure the ongoing security and growth of the Python ecosystem.

Subscribe to our newsletter

Get notified when we publish new security blog posts!

Try it now

Ready to block malicious and vulnerable dependencies?

Install GitHub AppBook a demo

Related posts

Back to all posts
SocketSocket SOC 2 Logo

Product

Packages

npm

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc