@@ -6,49 +6,4 @@ investigation resulted in the temporary artifact upload shutdown you observed ye
66of our analysis show that, as best as can reasonably be determined, the token was not used by any 3rd party to
77upload malicious artifacts.
88
9- More details below the fold.
10-
11- <!-- truncate -->
12-
13- ## Report details
14-
15- In the past few months, ` conda-forge ` has been engaging with an external security audit in collaboration with
16- the [ Open Source Technology Improvement Fund] ( https://ostif.org/ ) (OSTIF). The full results of this audit will be
17- made public once it is complete per OSTIF responsible disclosure policies.
18-
19- During this process, OSTIF and their contractor uncovered misconfigured infrastructure which exposed the ` anaconda.org `
20- token for the ` conda-forge ` channel to all feedstock maintainers. The token was exposed from on or about 2025-02-10 through
21- 2025-04-01. See our [ GitHub Security Advisory] ( https://github.com/conda-forge/infrastructure/security/advisories/GHSA-m4h2-49xf-vq72 )
22- for more details.
23-
24- We have requested a CVE from GitHub and will amend this announcement once it is issued. Our response to this
25- incident is detailed below, but TL;DR, as best as can reasonably be determined, ** no packages were compromised
26- during this time** .
27-
28- Thank you for using ` conda-forge ` , please [ contact us] ( https://conda-forge.org/community/getting-in-touch/ ) if you
29- have further questions, and please follow our [ security process] ( https://github.com/conda-forge/conda-forge.github.io/blob/main/SECURITY.md )
30- for responsible reporting of vulnerabilities.
31-
32- ** Finally, as a reminder, ` conda-forge ` packages are built by strangers on the internet (our wonderful feedstock
33- maintainers!) and are not suitable for use cases that require secure software provenance.**
34-
35- ## Response timeline
36-
37- The timeline and details of our response to this security incident are as follows:
38-
39- - 2025-04-01 13:35 UTC: OSTIF and their contractor notified ` conda-forge ` of the leaked token.
40- - 2025-04-01 14:00 UTC: The ` conda-forge/core ` team acknowledged receipt of the report and
41- started conducting the investigation.
42- - 2025-04-01 14:15 UTC: The ` conda-forge/core ` team disabled the token and stopped uploads to ` anaconda.org ` .
43- - 2025-04-01 14:20 UTC: We posted an [ incident] ( https://github.com/conda-forge/status/issues/194 )
44- to our status page reporting that uploads were temporarily paused.
45- - 2025-04-01 15:19 UTC: We audited all uploads to the ` conda-forge ` channel, looking for uploads that
46- bypassed our upload staging process. We did not find any. This check is not completely robust, but it
47- does indicate that nothing was obviously compromised.
48- - 2025-04-01 15:53 UTC: We decided to delay disclosure by one day to 2025-04-02 in order to not generate
49- confusion (2025-04-01 is [ April Fools' Day] ( https://en.wikipedia.org/wiki/April_Fools%27_Day ) in some countries
50- when people commonly engage in practical jokes).
51- - 2025-04-01 21:39 UTC: We deployed a fix to our infrastructure.
52- - 2025-04-01 22:20 UTC: We then deployed a new token to our infrastructure and restarted uploads.
53- - 2025-04-01 23:02 UTC: The status page [ incident] ( https://github.com/conda-forge/status/issues/194 ) was marked as resolved.
54- - 2025-04-02: We published this announcement and the advisory. GitHub produced CVE-2025 -31484 for us based on our security advisory.
9+ More details in the [ corresponding blog post] ( /blog/2025/04/02/security-incident-with-package-uploads/ ) .
0 commit comments