Scrubbing tokens from source code is not enough, as shown by the publishing of a Python Software Foundation access token with administrator privileges to a container image on Docker Hub.

PyPI Admin Ee Durbin was notified on June 28 this year, after which the token was revoked. The Python package Index (PyPI), is the world’s number one source for Python packages.

A malicious package named 'pycord-self' on the Python package index (PyPI) targets Discord developers to steal authentication tokens and plant a backdoor for remote control over the system.