A newly uncovered supply chain attack on GitHub, named GhostAction, has compromised more than 3,300 secrets across multiple ecosystems, including PyPI, npm, DockerHub, GitHub, Cloudflare, and AWS. The campaign was first identified by GitGuardian researchers, who traced initial signs of suspicious activity in the FastUUID project on September 2, 2025. The attack relied on compromised maintainer accounts, which were used to commit malicious workflow files into repositories. These GitHub Actions workflows were configured to trigger automatically on push events or manual dispatch, enabling the attackers to extract sensitive information.
Once executed, the malicious workflow harvested secrets from GitHub Actions environments and transmitted them to an attacker-controlled server through a curl POST request. In FastUUID’s case, the attackers accessed the project’s PyPI token, although no malicious package versions were published before the compromise was detected and contained. Further investigation revealed that the attack extended well beyond a single project. Researchers found similar workflow injections across at least 817 repositories, all exfiltrating data to the same domain. To maximize impact, the attackers enumerated secret variables from existing legitimate workflows and embedded them into their own files, ensuring multiple types of secrets could be stolen.
GitGuardian publicly disclosed the findings on September 5, raising issues in 573 affected repositories and notifying security teams at GitHub, npm, and PyPI. By t
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: