PyPI invalidates stolen tokens in the GhostAction supply chain attack, urging maintainers to adopt short lived credentials for stronger security.

Continue reading
The Python Software Foundation (PSF) has confirmed the invalidation of all PyPI publishing tokens compromised in the recent GhostAction supply chain attack. These tokens—used to push packages to the Python Package Index (PyPI)—were exfiltrated via malicious GitHub Actions workflows but, critically, no evidence suggests they were exploited to distribute malware.
The incident began on September 5, 2025, when GitGuardian detected GitHub Actions workflows (e.g., FastUUID) modified to leak PyPI tokens to attacker-controlled servers. Initially, GitGuardian’s findings were delayed due to email filtering errors, but by September 10, the scale became clear. More than 570 repositories were affected, prompting coordinated notifications to GitHub, npm, and PyPI security teams.
GitGuardian later revealed over 33,000 secrets stolen across ecosystems: PyPI, npm, DockerHub, GitHub, Cloudflare, AWS, and databases. The breadth of exposure meant entire SDK portfolios of some companies—spanning Python, Rust, JavaScript, and Go—were simultaneously compromised.
PyPI administrators invalidated all potentially exposed tokens and contacted project maintainers directly. While no PyPI accounts were abused to publish malicious packages, administrators emphasized transitioning from long-lived tokens to short-lived Trusted Publisher tokens for GitHub Actions workflows. Maintainers were also urged to review security histories for anomalies.
> “Attackers targeted a wide variety of repositories… While they successfully exfiltrated tokens, they do not appear to have used them on PyPI.” — Mike Fiedler, PyPI Admin
This breach follows a string of software supply chain incidents. In August, attackers exploited GitHub workflows in the Nx repository (s1ngularity attack), compromising 2,180 accounts and 7,200 repositories. Just weeks earlier, the PSF had also warned of phishing campaigns leveraging fake PyPI sites.
The GhostAction campaign underscores how continuous integration misconfigurations can cascade into ecosystem-wide threats. Though PyPI narrowly avoided a mass malware injection, the cross-ecosystem theft of credentials reveals the attackers’ sophistication. The path forward demands strict adoption of ephemeral credentials, vigilant monitoring of CI workflows, and coordinated threat intelligence across open-source registries.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.