A campaign targeted GitHub Actions to steal PyPI tokens—PyPI wasn’t compromised and no PyPI packages were published by the attackers. Stay safe: review your tokens, rotate any exposed ones, and use short-lived, scoped GitHub Actions tokens. Details:
https://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/
Python Package Index
npub1g5…68fy6
2025-09-26 12:45:39 UTC
Author Public Key
npub1g52zm7t45x9srp48swy44hc03k2qzkckd63vyqfl0jvnvkzz8n0ql68fy6Seen on
wss://relay.momostr.pinkPublished at
2025-09-26 12:45:39 UTCEvent JSON
{
"id": "56bd5d82053eba9d6495a9b9f5db82f2cbe8a699b67a62373907bce5eb13471f",
"pubkey": "45142df975a18b0186a783895adf0f8d94015b166ea2c2013f7c993658423cde",
"created_at": 1758890739,
"kind": 1,
"tags": [
[
"proxy",
"https://fosstodon.org/@pypi/115270663510354143",
"web"
],
[
"proxy",
"https://fosstodon.org/users/pypi/statuses/115270663510354143",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://fosstodon.org/users/pypi/statuses/115270663510354143",
"pink.momostr"
],
[
"-"
]
],
"content": "A campaign targeted GitHub Actions to steal PyPI tokens—PyPI wasn’t compromised and no PyPI packages were published by the attackers. Stay safe: review your tokens, rotate any exposed ones, and use short-lived, scoped GitHub Actions tokens. Details:\nhttps://blog.pypi.org/posts/2025-09-16-github-actions-token-exfiltration/",
"sig": "e53350aa18193d560e92d2eac23dff4827facf5192905bb9b795754640e82f40fc92ef716ac925a086b5b9e7f85764a8096b37007858e89ec9b2384254867377"
}