The Python Software Foundation (PSF) has invalidated all PyPI tokens compromised during the GhostAction supply chain campaign uncovered in early September. While no evidence of malicious package publication has been found, PSF executed a precautionary, platform-wide revocation to reduce exposure and prevent secondary attacks.
GhostAction explained: GitHub Actions abuse and secret exfiltration
Researchers at GitGuardian identified tampered GitHub Actions workflows—including a trojanized “FastUUID” workflow—designed to exfiltrate secrets to attacker-controlled servers. The initial alert to PyPI was sent on the day of discovery, but a spam filter delay shifted coordinated response to September 10.
According to GitGuardian’s assessment, adversaries siphoned more than 3,300 secrets, spanning tokens for PyPI, npm, Docker Hub, and GitHub, as well as API keys for Cloudflare and AWS and various database credentials. This is a textbook supply chain attack: the target is the CI/CD and automation layer rather than the end application itself, enabling stealthy, broad impact.
Coordinated response: token revocation, workflow cleanup, and maintainer outreach
To contain the incident, GitGuardian filed issues across 570+ affected repositories and notified the security teams at GitHub, npm, and PyPI. Many maintainers promptly rotated credentials, reverted tainted commits, and removed the infected workflows.
PyPI reports no signs of repository compromise or malicious artifacts being pushed. Nonetheless, following a defense-in-depth posture, PSF revoked all potentially exposed tokens and reached out to impacted project owners to assist with recovery, hardening, and safer publication workflows.
Why long-lived tokens amplify risk—and what to use instead
Short-lived credentials and PyPI Trusted Publishers
For projects using GitHub Actions, PyPI recommends replacing long-lived tokens with short-lived credentials via Trusted Publishers. This model leverages federated identity (e.g., OIDC) to mint ephemeral credentials bound to a verified trust relationship between a repository and PyPI. Even if an attacker exfiltrates a token, its narrow scope and brief lifetime severely limit utility and blast radius.
Practical supply chain security controls
Minimize privilege and lifetime. Apply least-privilege scopes to all tokens and set tight TTLs. In GitHub, restrict GITHUB_TOKEN permissions by default and avoid repo-wide administrative scopes for automation.
Lock down workflows. Require reviews for workflow changes, pin third-party Actions by commit SHA, restrict execution from forks, and prohibit self-hosted runner elevation. Treat CI definitions as code subject to the same rigorous change control.
Monitor and alert. Enable secret scanning, track publish/authentication logs, and instrument CI/CD telemetry. Regularly review PyPI account history and implement anomaly detection for package publishing.
Respond fast and rotate. At the first sign of leakage, revoke tokens, rebuild artifacts from trusted sources, and conduct workflow forensics to confirm the intrusion path and eradicate persistence.
Impact on the open-source ecosystem: risk without obvious exploitation
GhostAction underscores how adversaries can quietly manipulate developer infrastructure, echoing patterns seen in prior incidents such as Codecov’s Bash Uploader compromise and the SolarWinds build-system intrusion. Even without confirmed malicious uploads, the theft of thousands of secrets creates systemic risk: credential reuse across services, unauthorized repository access, tampering with build pipelines, and insertion of surreptitious dependencies.
For maintainers and organizations, the path forward is clear: adopt PyPI Trusted Publishers with short-lived credentials, pare back GITHUB_TOKEN permissions, enforce strict workflow governance, and pin all Actions. Combine automated secret scanning with routine audits of CI/CD configurations to reduce dwell time and prevent lateral movement.
Supply chain security is now a core reliability requirement for software delivery. Teams that shorten token lifetimes, verify publisher identities, and continuously audit their automation stack will be better positioned to withstand the next GhostAction-scale campaign—and to restore trust quickly if an incident occurs.