Posts by conda-forge
CircleCI Security Incident
- 2023-03-12
In early January 2023, CircleCI informed us that they had a large
security breach where a third party had
gained access to all the environment secrets stored in the service.
For conda-forge, these secrets are the API token used to upload built packages to our staging area on anaconda.org and
the unique token we generate for each feedstock. The feedstock tokens are used as part of our artifact staging process to ensure
that only the maintainers of a given feedstock can upload packages built by that feedstock. Later in January, we were informed
by CircleCI that their security breach started on December 19, 2022, with the bulk of the secrets being exfiltrated in plain
text from their servers a few days later. A malicious third-party with access to these secrets could potentially upload
compromised versions of any package on conda-forge in a so-called “supply chain” attack.
