The Python Software Foundation invalidated all PyPI tokens stolen during the GhostAction supply chain attack to prevent misuse, confirming they werenβt exploited to publish malware. Multiple package ecosystems were affected, with over 3,300 secrets stolen across platforms like npm, DockerHub, and AWS, but no PyPI repositories were compromised. #GhostAction #PyPI #GitHubActions
Keypoints
- The Python Software Foundation invalidated stolen PyPI tokens after a supply chain attack.
- Malicious workflows attempted to exfiltrate tokens to external servers but werenβt used on PyPI.
- Over 3,300 secrets, including API keys and credentials, were stolen across multiple platforms.
- Project maintainers rotated tokens and removed affected workflows following the incident.
- Experts recommend using short-lived Trusted Publisher tokens and reviewing security logs for protection.