-
Notifications
You must be signed in to change notification settings - Fork 1.1k
blog: ghost action #18705
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
blog: ghost action #18705
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
83 changes: 83 additions & 0 deletions
83
docs/blog/posts/2025-09-16-github-actions-token-exfiltration.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| --- | ||
| title: Token Exfiltration Campaign via GitHub Actions Workflows | ||
| description: Incident report of a recent attack campaign targeting GitHub Actions workflows to exfiltrate PyPI tokens, our response, and steps to protect your projects. | ||
| authors: | ||
| - miketheman | ||
| date: 2025-09-16 | ||
| tags: | ||
| - security | ||
| - transparency | ||
| --- | ||
|
|
||
| ## Summary | ||
|
|
||
| I recently responded to an attack campaign where malicious actors injected code into GitHub Actions workflows | ||
| attempting to steal PyPI publishing tokens. | ||
| PyPI was not compromised, and no PyPI packages were published by the attackers. | ||
|
|
||
| Attackers targeted a wide variety of repositories, many of which had PyPI tokens stored as GitHub secrets, | ||
| modifying their workflows to send those tokens to external servers. | ||
| While the attackers successfully exfiltrated some tokens, they do not appear to have used them on PyPI. | ||
|
|
||
| I've invalidated all affected tokens and notified the impacted project maintainers. | ||
| If you're one of them, I have emailed you from <security@pypi.org>. | ||
|
|
||
| <!-- more --> | ||
|
|
||
| You can read more about the details of the attack on [GitGuardian's blog](https://blog.gitguardian.com/ghostaction-campaign-3-325-secrets-stolen/). | ||
|
|
||
| ## Timeline and Response | ||
|
|
||
| On September 5th, a GitGuardian employee used the [PyPI "Report as malware" button](./2024-03-06-malware-reporting-evolved.md) | ||
| to submit their findings for a project named `fastuuid` - namely they found a malicious GitHub Actions workflow | ||
| attempting to exfiltrate PyPI tokens to a remote server. | ||
| No compromise on PyPI was found, tokens relating to the user accounts were invalidated, | ||
| and I reached out to the project owners to notify and help secure the account and project. | ||
|
|
||
| Later on September 5th, another researcher from GitGuardian emailed PyPI Security | ||
| directly about their current findings, effectively an expansion of the previous attack. | ||
| Due to some of the contents in that email, it ended up in our inbound Spam folder, | ||
| delaying response until September 10th when I became aware of the attack via other channels, | ||
miketheman marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| and found the original email in the Spam folder. | ||
| I may follow up with our support system provider to see about improving spam filtering rules. | ||
|
|
||
| After triaging the situation, I discovered another Indicator of Compromise (IoC) in the form of a URL, | ||
| which I shared with GitGuardian to assist with their ongoing investigation. | ||
|
|
||
| Over the course of the following few days, I reviewed the findings from the researchers. | ||
| I observed that many of the project maintainers responded to notifications from the researchers on their open source issue trackers, | ||
| either reverting the changes to their actions workflows, | ||
| or removing the affected workflows entirely from history via force-push of the repository. | ||
| Many of the maintainers also proactively rotated their PyPI tokens. | ||
|
|
||
| After confirming that no PyPI accounts had been compromised, | ||
| on September 15th I reached out to the maintainers of the affected projects to notify them of the situation, | ||
| to let them know that their tokens had been invalidated, | ||
| and recommend using [Trusted Publishers](https://docs.pypi.org/trusted-publishers/) | ||
| with GitHub Actions to help protect their projects in the future. | ||
|
|
||
| ## What You Can Do | ||
|
|
||
| If you use GitHub Actions to publish to PyPI, I recommend the following steps to protect your projects: | ||
|
|
||
| 1. Replace long-lived tokens with [Trusted Publishers](https://docs.pypi.org/trusted-publishers/. | ||
| This is the most effective way to protect your projects from this type of attack. | ||
| GitHub Trusted Publishers use short-lived tokens that are scoped to a specific repository, | ||
| and expire after a short period of time. | ||
| 2. Log into your account and review your security history for any suspicious activity. | ||
| You can do this by going to your [Account Settings](https://pypi.org/manage/account/) | ||
| and scrolling to the ["Security History" section](https://pypi.org/manage/account/#account-events). | ||
|
|
||
| While Trusted Publisher tokens can still be exfiltrated, | ||
| using Trusted Publishers significantly reduces the risk of compromise. | ||
|
|
||
| ## Acknowledgements | ||
|
|
||
| Thanks to Charles Brossollet, Guillaume Valadon, and Gaëtan Ferry | ||
| of [GitGuardian](https://www.gitguardian.com/) for their collaboration on this issue. | ||
|
|
||
| This investigation and incident response is made possible by the generosity of individuals and corporations | ||
| supporting critical security efforts to better secure the Python community, | ||
| with thanks to [Alpha-Omega](https://alpha-omega.dev/). | ||
|
|
||
| Support these efforts and more here: <https://www.python.org/sponsors/application/> | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.