PyPI Blog: Token Exfiltration Campaign via GitHub Actions Workflows
11 comments
·September 16, 2025nodesocket
Hasnep
The large attack surface with npm is partly because of all the transitive dependencies used, which means that even if you only pull in a dozen packages directly, you're also using hundreds of other packages. Running `pip freeze` will list a lot of transitive dependencies as well, but I'm sure it'll be less than an equivalent JS project.
zahlman
The most important packages in the Python world don't have a lot of their own dependencies. Numpy has none, for example. The bulk of Numpy is non-Python code and interfaces/wrappers for that; the standard library isn't AFAIK pulling a whole lot of weight there.
nwellnhof
Numpy depends on BLAS and LAPACK.
milkshakes
while those are obviously huge dependencies, i think the claim was about _python_ dependencies
darkamaul
Huge kudos to Mike for handling this attack and appropriately contacting the maintainers.
I’m also glad to see yet another case where having Trusted Publishing configured would have prevented the attack. That’s a cheap defense that has proven effective once again!
zahlman
> Attackers targeted a wide variety of repositories, many of which had PyPI tokens stored as GitHub secrets, modifying their workflows to send those tokens to external servers. While the attackers successfully exfiltrated some tokens, they do not appear to have used them on PyPI.
It's wild to me that people entrust a third-party CI system with API secrets, and then also entrust that same system to run "actions" provided by other third parties.
blibble
it's even worse that that
the CI system itself encourages you to import random third party code into your CI workflow, based on mutable tags
which then receives full privileges
the entire thing is insane
NeutralForest
That's why I stick mostly with Github actions and pin the SHA of the commits instead of the tag version.
blibble
yes, it supports it, but it's not the default, is a pain and fills your build file with a load of noise
so very few use it
making it easy to do the right thing is an important part of API design and building secure systems, and these CI systems fail miserably there
miketheman
Incident report of a recent attack campaign targeting GitHub Actions workflows to exfiltrate PyPI tokens, our response, and steps to protect your projects.
While Python being more widely used than JS, it's interesting the majority of attacks and breaches come from NPM. The consensus seems to be that Python offering a standard library greatly reduces the attack surface over JS. I tend to agree with this, a decently large Flask python app I am working on has 15 entries in requirements.txt (many of which being Flask plugins).