PyPI Blog: Token Exfiltration Campaign via GitHub Actions Workflows
6 hours ago
- #Token Exfiltration
- #PyPI Security
- #GitHub Actions
- Attackers injected malicious code into GitHub Actions workflows to steal PyPI publishing tokens.
- No PyPI packages were published by the attackers, and PyPI was not compromised.
- Affected tokens were invalidated, and project maintainers were notified.
- Trusted Publishers with GitHub Actions are recommended to protect projects from similar attacks.
- The incident was reported by GitGuardian, and collaboration helped in the investigation.
- Support from Alpha-Omega and the Python community aids in securing the Python ecosystem.