| ▲ | PyPI Blog: Token Exfiltration Campaign via GitHub Actions Workflows(blog.pypi.org) | |||||||||||||
| 26 points by miketheman 2 days ago | 6 comments | ||||||||||||||
| ▲ | darkamaul 8 hours ago | parent | next [-] | |||||||||||||
Huge kudos to Mike for handling this attack and appropriately contacting the maintainers. I’m also glad to see yet another case where having Trusted Publishing configured would have prevented the attack. That’s a cheap defense that has proven effective once again! | ||||||||||||||
| ▲ | zahlman 2 days ago | parent | prev | next [-] | |||||||||||||
> Attackers targeted a wide variety of repositories, many of which had PyPI tokens stored as GitHub secrets, modifying their workflows to send those tokens to external servers. While the attackers successfully exfiltrated some tokens, they do not appear to have used them on PyPI. It's wild to me that people entrust a third-party CI system with API secrets, and then also entrust that same system to run "actions" provided by other third parties. | ||||||||||||||
| ▲ | miketheman 2 days ago | parent | prev | next [-] | |||||||||||||
Incident report of a recent attack campaign targeting GitHub Actions workflows to exfiltrate PyPI tokens, our response, and steps to protect your projects. | ||||||||||||||
| ▲ | nodesocket 2 days ago | parent | prev [-] | |||||||||||||
While Python being more widely used than JS, it's interesting the majority of attacks and breaches come from NPM. The consensus seems to be that Python offering a standard library greatly reduces the attack surface over JS. I tend to agree with this, a decently large Flask python app I am working on has 15 entries in requirements.txt (many of which being Flask plugins). | ||||||||||||||
| ||||||||||||||