A campaign targeted GitHub Actions to steal PyPI tokens—PyPI wasn’t compromised and no PyPI packages were published by the attackers. Stay safe: review your tokens, rotate any exposed ones, and use short-lived, scoped GitHub Actions tokens. Details:

Token Exfiltration Campaign via GitHub Actions Workflows - The Python Package Index Blog

Incident report of a recent attack campaign targeting GitHub Actions workflows to exfiltrate PyPI tokens, our response, and steps to protect your p...

🚨 There is a new ongoing phishing campaign against PyPI users. This campaign uses the same tactics as the previous campaign targeting PyPI users, but with a new domain. Read more about what steps we're taking to protect PyPI users from future campaigns:

Phishing attacks with new domains likely to continue - The Python Package Index Blog

A new phishing campaign targeting PyPI users using similar tactics to previous campaigns.