Closed x448 closed 3 years ago
Thanks for the report. We published an official response to our exposure to this incident here: https://mail.python.org/pipermail/cryptography-dev/2021-April/001036.html
Please accept my apologies for opening the same issue in pyca/cryptography. I didn't see this response.
BTW, I started using DJB's nacl in commercial software before libsodium was available and am thrilled to see it being so easily usable from Python. Nice work!!!
On April 15, Security Week reported:
Here's how the hacked script might have been downloaded and executed to potentially steal credentials, tokens, or keys located in environment variables:
https://github.com/pyca/pynacl/blob/b5c7dd110e852bfb47807b0e29eee82948b261a1/.github/workflows/ci.yml#L57-L60
It's better to embed Python script in the workflow .yml file to compare coverage and generate a badge.
Projects like fxamacker/cbor avoided this for over a year by using a custom GitHub Actions workflow to generate a code coverage badge on GitHub. It was intended for Go coverage but the script embedded inside the .yml is written in Python.