A campaign targeted GitHub Actions to steal PyPI tokens—PyPI wasn’t compromised and no PyPI packages were published by the attackers. Stay safe: review your tokens, rotate any exposed ones, and use short-lived, scoped GitHub Actions tokens. Details:

Token Exfiltration Campaign via GitHub Actions Workflows - The Python Package Index Blog

Incident report of a recent attack campaign targeting GitHub Actions workflows to exfiltrate PyPI tokens, our response, and steps to protect your p...