Abusing Git branch names to compromise a PyPI package

Related:<p>Ultralytics AI model hijacked to infect thousands with cryptominer (<a href="https:&#x2F;&#x2F;www.bleepingcomputer.com&#x2F;news&#x2F;security&#x2F;ultralytics-ai-model-hijacked-to-infect-thousands-with-cryptominer&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.bleepingcomputer.com&#x2F;news&#x2F;security&#x2F;ultralytics-a...</a>) - discussed 2 days ago: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42351722">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42351722</a><p>Discrepancy between what&#x27;s in GitHub and what&#x27;s been published to PyPI (<a href="https:&#x2F;&#x2F;github.com&#x2F;ultralytics&#x2F;ultralytics&#x2F;issues&#x2F;18027">https:&#x2F;&#x2F;github.com&#x2F;ultralytics&#x2F;ultralytics&#x2F;issues&#x2F;18027</a>) - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42337548">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42337548</a>

&quot;to compromise a GitHub repository&quot; would be a better title. The vulnerability here is with GitHub Actions combined with improper CI configuration. PyPI has nothing to do with this, really (other than being the site where this vulnerable repository&#x27;s releases are uploaded).

Was this because a shell script was using interpolation to add branch name to a shell command? Maybe we should start getting rid of string substitution-based shells?

I highly recommend the comments, particularly this from excors: <a href="https:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;1001309&#x2F;" rel="nofollow">https:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;1001309&#x2F;</a><p>I am far from an expert on CI &#x2F; GitHub, so when I saw this attack I thought &quot;sure I guess that could happen&quot; but was pretty baffled as to how beyond some hand-waving about escape characters and the dangers of mixing data and code.

[dupe] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42351722">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=42351722</a>

How could this happen? We&#x27;re storing deploy credentials in GitHub, and configure fully automated deploy pipelines using YAML and Shell. Escaping 101. xD<p><a href="https:&#x2F;&#x2F;xkcd.com&#x2F;1638&#x2F;" rel="nofollow">https:&#x2F;&#x2F;xkcd.com&#x2F;1638&#x2F;</a>