Python Package Index API Token

ID

pypi_key

Severity

critical

Vendor

Python Package Index

Family

API Token

Description

The Python Package Index (PyPI) is the official third-party software repository for Python.

It exposes an API to interact with the repository.

Security

Any hardcoded PyPI API Token is a potential secret reported by this detector.

Accidentally checking-in the API token to source control repositories could compromise the PyPI account and data.

Suspicious activity could be detected by reviewing the date of last use displayed on the last section in your PyPI account page for a particular API token.

Examples

api_key=pypi-jgxQw2zA9lyuHDa9MwG49SP3kcXW2HSw57y7adlhZ3pAkoS57bjgxQw2zA9lyuHDa9MwG49SP3kcXW2HSw57y7adlhZ3pAkoS57bjgxQw2zA9lyuHDa9MwG49SP3kcXW2HSw57y7adlhZ3pAkoS57bjgxQw2zA9lyuHDa9MwG49SP3kcXW2HSw57y7adlhZ3pAkoS57b91boiyBSCA7N8F7

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Go to User Account, find the specific API token, and revoke it by clicking on the Options selector and then on the Remove token option.

  2. In the same PyPI Account, navigate to the last Security history section showing security-related events. There you may search for logins at odd times or from unexpected locations, and usages of the leaked API token. If you see suspicious activity, follow the steps listed in the What should I do if I notice suspicious activity on my account?.

  3. Remove the PyPI API token from the source code or committed configuration file.

  4. (Optional) If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference