Skip to main content

PyPI Upload Token

A PyPI Upload Token is a credential used to authenticate and authorize the upload of Python packages to the Python Package Index (PyPI). This token is critical for developers who distribute their Python packages, as it allows them to publish updates and new versions. Exposure of this token can lead to unauthorized uploads, potentially allowing attackers to distribute malicious versions of legitimate packages, posing a significant security risk to users who install these packages.

How Does It Look

PyPI Upload Tokens can appear in various contexts, such as:

  • Environment variables:

    export PYPI_TOKEN="pypi-AgENdGVzdC5..."

  • Configuration files (.env):

    PYPI_TOKEN=pypi-AgENdGVzdC5...

  • Code snippets:

    import os
    token = os.getenv("PYPI_TOKEN", "pypi-AgENdGVzdC5...")

  • Connection strings:

    https://upload.pypi.org/legacy/ -u __token__ -p pypi-AgENdGVzdC5...

Severity

  • 🔴 Critical

The severity of a PyPI Upload Token exposure is critical because it grants the ability to upload and potentially overwrite existing packages on PyPI. This can lead to widespread distribution of malicious code, affecting all users who download the compromised package. The blast radius is extensive, as it impacts the entire user base of the affected package.

What Can an Attacker Do?

With immediate access to a PyPI Upload Token, an attacker can:

  • Upload malicious packages: Replace legitimate packages with malicious versions (if the token has upload permissions).
  • Overwrite existing packages: Modify existing package versions to include harmful code (if the token allows overwriting).
  • Distribute malware: Spread malware to users who install or update the compromised package (if the package is popular).
  • Damage reputation: Tarnish the reputation of the package maintainer and the package itself.

An attacker could further escalate their access by using the compromised package to gain entry into systems that install it, potentially leading to lateral movement within affected networks.

Real-World Impact

The exposure of a PyPI Upload Token poses significant business risks, including:

  • Data Exposure: Users' systems could be compromised by malicious code (if the package is widely used).
  • Financial Loss: Organizations may incur costs from incident response and remediation efforts (if the package is critical to operations).
  • Operational Disruption: Systems relying on the compromised package could malfunction or be disabled (if the attacker modifies critical functionality).
  • Reputational Damage: Loss of trust from users and the community (if the package is widely recognized).

In the worst-case scenario, a compromised package could serve as a vector for a larger supply chain attack, affecting numerous downstream systems and users.

Prerequisites for Exploitation

To exploit a PyPI Upload Token, an attacker needs:

  • Network access: Ability to connect to the PyPI repository.
  • Token knowledge: The actual token value to authenticate uploads.
  • No IP restrictions: Lack of IP allowlisting on the PyPI account.

How to Verify If It's Active

To verify if a PyPI Upload Token is active, use the following command:

curl -u __token__:[TOKEN] https://upload.pypi.org/legacy/ -I

Valid credential response:

  • HTTP status code 200 or 204, indicating successful authentication.

Invalid/expired credential response:

  • HTTP status code 401, indicating unauthorized access.

Detection Patterns

Common Variable Names:

  • PYPI_TOKEN
  • PYPI_UPLOAD_TOKEN
  • PYPI_API_KEY
  • PYPI_SECRET
  • PYPI_KEY
  • PYPI_AUTH_TOKEN

File Locations:

  • .env
  • config.yaml
  • settings.json
  • deploy.sh
  • credentials.txt

Regex Pattern:

pypi-[A-Za-z0-9\-_]{20,}

Remediation Steps

  1. Revoke immediately - Go to PyPI account settings and delete the compromised upload token.
  2. Audit access logs - Review PyPI logs for unauthorized package uploads or modifications during the exposure window.
  3. Assess blast radius - Identify all packages and versions uploaded using the exposed token.
  4. Rotate credential - Generate a new upload token in PyPI and ensure it has the least-privilege permissions.
  5. Update dependent systems - Deploy the new token to all build and deployment pipelines securely.
  6. Harden access controls - Enable IP allowlisting in PyPI settings and require two-factor authentication for account access.
  7. Implement secrets management - Migrate tokens to a secrets manager (e.g., HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
  8. Add detection controls - Set up pre-commit hooks and repository scanning to catch token leaks before they reach production.

Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.

References