Is it possible to do a full sweep across all tokens in all Python files (for instance) in Github and find such keys? Can you tell from the contents if it's a key or some such "important" string?
GitHub already offers this - they scan all the code that gets uploaded to look for keys. I think the issue here is that the code wasn't on public GitHub, but the artifacts were uploaded to PyPi
Yep, and if you don't look for them, you can be darn sure someone else is looking for them. I heard about an incident from a friend where a GitHub repo was created accidentally public (ran out of private repos and I guess the failure mode back in the day was just make it public) and that repo had developer level access keys in it. Some enterprising fellow was scanning public repos for this, grabbed the keys, opened thousands and thousands of the biggest GPU machines they could get on AWS and started mining bitcoins. They were nice enough not to delete production to make room for more bitcoin miners.
That's not nice, that's just smart. Delete production, and someone will notice right away. Leave production as it is, and they might not notice until the bill comes due.
The keys here were actually in the published package, not in GitHub, as it seems it was published by accident.
Here[1] are the prefixes used for all AWS IAM access keys. Here[2] is the API definition for an access key. If you're going to search all of PyPy for keys, here's some more keys you can look for: [3] [4]
Heh, your 3rd link must have OCR-ed a PDF or something because "(A3T[A-Z0-9]" is for sure wrong; I'm guessing they meant "ABIA" and then the 4th link must have copied from #3 (based on the commit date) because it makes the same mistake
