logo

Hunting Leaked PyPI Tokens: 62 Live, 125 Packages Exposed

ID: 55bddf54-d31c-571b-bcbf-6b1cfd5b18f6

STIX ID: report--55bddf54-d31c-571b-bcbf-6b1cfd5b18f6

Feed Name: Security Boulevard

Threat Score
65/100

Date Published: 2026-06-24

Date Updated: 2026-06-24

Author: Guillaume Valadon

...
...

Researchers using GitGuardian data analyzed leaked PyPI API tokens found in public sources (primarily GitHub and some Docker Hub). After decoding and safely testing tokens, they determined 62 tokens were still valid and tied to 125 projects with roughly 25,000 monthly downloads; PyPI revoked the tokens after responsible disclosure. The report emphasizes the supply-chain risk of leaked tokens and recommends scoping tokens, scanning repositories/images for secrets, and ignoring sensitive files from source control.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.