GhostAction: The Supply Chain Attack That Stole 3,325 GitHub Secrets
The GhostAction attack stands as one of the most significant compromises of the GitHub ecosystem in recent years. Researchers at GitGuardian uncovered a sweeping campaign in which threat actors injected malicious workflow files into repositories. Through these tampered scripts, the attackers exfiltrated 3,325 secrets, including PyPI, npm, and DockerHub tokens, as well as cloud service keys. In total, 327 users and 817 repositories were affected.
The investigation began with an incident involving the FastUUID project. Masquerading as a commit titled “Add GitHub Actions Security workflow,” a user named Grommash9 uploaded a GitHub Actions file that, instead of executing legitimate logic, transmitted tokens to an external domain. The workflow, triggered either on push or manual invocation, extracted secrets from the environment and sent them via HTTP requests to a remote server. To obscure its purpose, the attacker included trivial commands such as “Prepare Cache Busting,” though the script’s true function was the theft of sensitive data. The legitimate FastUUID workflow had been intended for testing and publishing the package to PyPI, where the same token was in use.
The compromise occurred on September 2, but thanks to rapid response efforts, the damage was contained. On September 5 at 12:11 p.m., PyPI placed the project into read-only mode, and within 19 minutes the malicious commit was withdrawn. During this period, the attackers failed to upload counterfeit package versions, which reduced the risk of a large-scale supply chain infection across dependencies—including high-profile projects such as BerriAI/litellm.
Subsequent analysis revealed that FastUUID was only a fragment of a far broader operation. On the same day, the attacker deployed identical workflows into other public and private repositories, expanding the range of stolen variables. In addition to PyPI tokens, the scripts were configured to harvest WhiteBIT and Cloudflare keys. All exfiltrated data was funneled to the same external server. A review of commit histories revealed hundreds of similar insertions, compromising repositories belonging to hundreds of users. At the time of analysis, the malicious infrastructure was still operational but ceased resolving later in the evening of September 5.
In total, the campaign resulted in the theft of more than 3,000 secrets. Of particular concern were stolen npm tokens and DockerHub keys, which could allow attackers to surreptitiously publish malicious packages and container images. Confirmed cases already include the misuse of AWS keys and database passwords. Some organizations reported simultaneous compromises of multiple SDKs across different languages—ranging from Python and Rust to JavaScript and Go.
GitGuardian began mass notifications by creating issues in affected repositories. Of the 817 projects, 100 had already reverted the malicious commits on their own, while 573 were flagged with formal warnings. Some repositories had been deleted entirely or disabled issue tracking. GitHub, npm, and PyPI were all formally notified. Early assessments suggest that in the coming days, nine npm packages and fifteen PyPI packages could be at elevated risk.
GitGuardian emphasized that the campaign bore the hallmarks of meticulous planning. The adversary first studied legitimate workflow files to catalog the names of commonly used secrets, then created counterfeit scripts with identical variable names, ensuring the theft of the most valuable credentials. Although GhostAction did not culminate in widespread malicious releases on package managers, it delivered a stark warning to the open-source ecosystem: CI/CD workflows can be just as vulnerable as source code itself.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
