Full Report
The Python Software Foundation team has invalidated all PyPI tokens stolen in the GhostAction supply chain attack in early September, confirming that the threat actors didn't abuse them to publish malware. [...]
Analysis Summary
# Incident Report: GhostAction Supply Chain Token Theft
## Executive Summary
A security incident, dubbed the GhostAction supply chain attack, involved the exfiltration of over 3,300 secrets, including PyPI tokens, from GitHub Actions workflows across multiple package ecosystems. While the tokens were stolen from repositories, PyPI admins invalidated the affected tokens, and there is no evidence they were used to publish malware on PyPI. The delay in response was partly due to a security report being incorrectly routed to spam.
## Incident Details
- **Discovery Date:** September 5, 2025
- **Incident Date:** Early September 2025 (Attack campaign ongoing)
- **Affected Organization:** Various organizations utilizing GitHub Actions for package publishing (PyPI, npm, DockerHub, etc.)
- **Sector:** Software Development / Open Source Ecosystems
- **Geography:** Global (Affecting cloud-hosted repositories)
## Timeline of Events
### Initial Access
- **Date/Time:** September 5, 2025 (Detection trigger)
- **Vector:** Malicious GitHub Actions workflows within affected repositories.
- **Details:** GitGuardian discovered malicious GitHub Actions workflows (e.g., in `FastUUID`) attempting to exfiltrate PyPI tokens to a remote server.
### Lateral Movement
- Not explicitly detailed for lateral movement *within* victim networks, but the attack demonstrated **compromises across multiple package ecosystems** (PyPI, npm, Rust crates, Go), suggesting broad compromise via affected workflows.
### Data Exfiltration/Impact
- **Data Exfiltration:** Over 3,300 secrets were stolen, including PyPI tokens, npm tokens, DockerHub tokens, GitHub tokens, Cloudflare API tokens, AWS access keys, and database credentials.
- **Impact:** While tokens were stolen, PyPI staff confirmed no evidence that compromised PyPI tokens were abused to publish malware.
### Detection & Response
- **Detection:** September 5, 2025, via a report from a GitGuardian employee regarding attempted token exfiltration in GitHub Actions. A subsequent report was delayed until September 10th due to email spam filtering.
- **Response Actions:** GitGuardian notified GitHub, npm, and PyPI security teams and opened GitHub issues in over 570 impacted repositories. PyPI invalidated **all** stolen publishing tokens (around September 15th) and contacted project owners.
## Attack Methodology
- **Initial Access:** Exploitation through compromised/malicious GitHub Actions workflows configured within targeted repositories.
- **Persistence:** Not explicitly detailed, but maintaining access likely relied on the integrity of the malicious workflow persisting in the repository configuration.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Attackers likely operated via trusted, legitimate GitHub Actions infrastructure.
- **Credential Access:** Harvesting secrets stored as GitHub Secrets (PyPI tokens, API keys, etc.) by modifying workflow files to send them to external C2 servers.
- **Discovery:** Not detailed, but implied scanning/targeting repositories configured with sensitive secrets in workflows.
- **Lateral Movement:** Demonstrated by affecting repositories handling multiple language ecosystems (Python, Rust, JavaScript, Go).
- **Collection:** Gathering credentials associated with package repositories (PyPI, npm) and cloud infrastructure (AWS).
- **Exfiltration:** Sending collected tokens and keys programmatically from the GitHub Actions runner environment to an attacker-controlled remote server.
- **Impact:** Theft of publishing access credentials for multiple software ecosystems.
## Impact Assessment
- **Financial:** Not disclosed, but costs associated with remediation and auditing would be present.
- **Data Breach:** Over 3,300 secrets stolen, including sensitive credentials for software publishing platforms and cloud infrastructure (AWS keys).
- **Operational:** Minor disruption reported to maintainers who had to rotate tokens; no confirmed impact due to data published via PyPI misuse.
- **Reputational:** Impacts trust in the security mechanisms surrounding GitHub Actions secrets management for package publishing.
## Indicators of Compromise
- **Network indicators:** Exfiltration attempts directed to an external server via compromised GitHub Actions runners (Defanged: `hxxp://remote-exfil-server`)
- **File indicators:** Malicious or altered GitHub Actions workflow files (.yml) designed to siphon secrets.
- **Behavioral indicators:** GitHub Actions running steps that contact disallowed external domains to transmit secrets.
## Response Actions
- **Containment measures:** All identified PyPI publishing tokens associated with the breach were invalidated by the Python Software Foundation team.
- **Eradication steps:** Affected project maintainers were advised to rotate all remaining compromised secrets and revert changes to affected GitHub Actions workflows.
- **Recovery actions:** PyPI staff followed up with affected project owners on September 15th to confirm token invalidation and provide security advisories.
## Lessons Learned
- **Key takeaways:** Reliance on long-lived secrets stored in repository secrets (like GitHub Secrets) poses a significant supply chain risk when leveraged by compromised CI/CD pipelines.
- **What could have been done better:** Incident response was delayed (September 5th report missed until September 10th) due to misrouted communications, highlighting the need for robust triage of security reports.
## Recommendations
- **Prevention measures for similar incidents:**
1. Package maintainers (especially on PyPI) must transition from long-lived secrets to short-lived **Trusted Publishers** tokens when using GitHub Actions.
2. Organizations should enforce strict least-privilege access for secrets used within CI/CD pipelines.
3. Review security history/logs for all associated accounts immediately upon notification of compromise in adjacent systems.