logoalt Hacker News

detente18yesterday at 3:53 PM2 repliesview on HN

It was the PYPI_PUBLISH token which was in our github project as an env var, that got sent to trivvy.

We have deleted all our pypi publishing tokens.

Our accounts had 2fa, so it's a bad token here.

We're reviewing our accounts, to see how we can make it more secure (trusted publishing via jwt tokens, move to a different pypi account, etc.).

Replies

redroveyesterday at 4:08 PM

How did PYPI_PUBLISH lead to a full GH account takeover?

show 3 replies
mike_hearnyesterday at 4:49 PM

Perhaps it's too obvious but ... just running the publish process locally, instead of from CI, would help. Especially if you publish from a dedicated user on a Mac where the system keychain is pretty secure.

show 2 replies