> From today, GitHub will scan every commit to a public repository for exposed PyPI API tokens. We will forward any tokens we find to PyPI, who will automatically disable them and notify their owners.

If you commit your AWS secrets/tokens, or similar, inside a python script it will now be discovered by github automatically.

They have integrations with a bunch of services to recognize the tokens, and disable them. This means malicious users can't copy/paste them, spin up servers and leave you with a big bill. (Ideally, of course it could still happen, but the aim is to prevent that kind of thing.)

Though this has been true for a while, it's not what this announcement is about. This is specifically announcing automated scanning and reporting of PyPI keys, which if exposed, could allow a bad actor to distribute compromised Python packages via PyPi (e.g. pip)

And this is a potentially huge security issue. Think about all the systems software that relies on Python packages.

It should reduce the possibility of pypi packages being taken over as the result of its owner being careless with theirs pypi credentials.

I think it’s good because the risk of a package being taken over is low, but very damaging if it occurs in a widely used package.

If you accidentally commit your PyPI private token to git and push it to GitHub, PyPI will detect this and disable the token within seconds (because there are absolutely bots who will try to find it and abuse it).

I presume it means that if someone accidentally pushes up a token to a public github repo then it can't be used to hijack all the PyPi packages corresponding to that token to become malicious