GitGuardian Researchers Find Thousands of


            Leaked Secrets in PyPI (Python Package


            Index) Packages


            By Dwayne McDaniel, GitGuardian Developer and Security Advocate, GitGuardian



            The modern world of DevOps means relying on our code connecting to outside services and components
            imported at run time. All of this access is predicated on secrets, the credentials such as API keys and
            passwords granting any needed access. Ideally, these secrets should be stored safely in vaults, secret
            management platforms, or `.env` files located safely outside of version control.

            Unfortunately, all too often, secrets end up in places they shouldn't, such as in the code as plaintext or in
            an `.env` file shipped with the project and visible to anyone who has access. This continues to be a
            growing problem, as evidenced by the millions of secrets GitGuardian reported in our annual report.

            Furthermore, this issue of secrets sprawling is not limited to in-house-produced code. It is also a serious
            problem for third-party software we incorporate into our ecosystems. Unlike our custom code, usually
            meant to run within our data centers or cloud providers, third-party code, such as PyPI packages, are
            most often intended to be freely distributed as open-source software, so any credentials that are included
            could be seen by hundreds or potentially even millions of developers before the issue is discovered.




            Cyber Defense eMagazine – February 2024 Edition                                                                                                                                                                                                          69
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.