Full Report
A new supply chain attack on GitHub, dubbed 'GhostAction,' has compromised 3,325 secrets, including PyPI, npm, DockerHub, GitHub tokens, Cloudflare, and AWS keys. [...]
Analysis Summary
# Incident Report: GhostAction GitHub Supply Chain Attack
## Executive Summary
A widespread supply chain attack named 'GhostAction' leveraged compromised GitHub maintainer accounts to inject malicious GitHub Actions workflows into at least 817 repositories, resulting in the theft of approximately 3,325 sensitive secrets. The attackers successfully exfiltrated credentials for various platforms, including PyPI, npm, DockerHub, and AWS. The incident was discovered by GitGuardian researchers, leading to rapid engagement with affected platforms and remediation efforts.
## Incident Details
- **Discovery Date:** September 5, 2025 (First evidence noted on September 2, 2025)
- **Incident Date:** Commenced before September 2, 2025
- **Affected Organization:** At least 817 repositories across varied organizations/projects (e.g., FastUUID)
- **Sector:** Software Development / Open Source Ecosystems
- **Geography:** Global (Affecting GitHub infrastructure)
## Timeline of Events
### Initial Access
- **Date/Time:** Before September 2, 2025
- **Vector:** Compromised GitHub maintainer accounts.
- **Details:** Attackers gained control over legitimate maintainer accounts within target repositories.
### Lateral Movement
- **Details:** Not explicitly detailed as lateral movement within victim networks, but rather the expansion across multiple repositories via the injected malicious workflow, affecting infrastructure across PyPI, npm, DockerHub, and cloud services.
### Data Exfiltration/Impact
- **Details:** On September 2, 2025, evidence surfaced on the FastUUID project. The malicious workflow read secrets from the GitHub Actions environment and exfiltrated them via a `curl POST` request to the attacker-controlled endpoint: `bold-dhawan[.]45-139-104-115[.]plesk[.]page`. Total secrets stolen estimated at 3,325.
### Detection & Response
- **Detection:** GitGuardian researchers uncovered the full scope of the campaign on September 5, 2025.
- **Response actions taken:** GitGuardian opened GitHub issues in 573 impacted repositories and directly notified the security teams of GitHub, npm, and PyPI. The exfiltration endpoint stopped resolving shortly after discovery.
## Attack Methodology
- **Initial Access:** Compromised GitHub Maintainer Accounts.
- **Persistence:** Implied through the maintained malicious GitHub Actions workflow file within the repository structure.
- **Privilege Escalation:** Not detailed, but necessary to gain control over maintainer accounts.
- **Defense Evasion:** Utilizing legitimate GitHub Actions functionality to execute the theft process automatically on 'push' or manual dispatch.
- **Credential Access:** Directly accessing secrets configured in the GitHub Actions environment variables.
- **Discovery:** Attackers enumerated secret names from legitimate workflows to hardcode them into their malicious workflow to ensure broad data capture.
- **Lateral Movement:** Not applicable in the traditional sense; movement was lateral across the *supply chain* by compromising source code repositories.
- **Collection:** Reading GitHub Secrets environment variables.
- **Exfiltration:** Using a `curl POST` request to send secrets to an external staging domain.
- **Impact:** Theft of credentials for multiple package managers and cloud providers.
## Impact Assessment
- **Financial:** Not estimated, but significant remediation costs and potential losses from compromised cloud access/package releases expected.
- **Data Breach:** Theft of approximately 3,325 secrets, including PyPI tokens, npm tokens, DockerHub tokens, GitHub tokens, Cloudflare API tokens, AWS access keys, and database credentials. At least nine npm and 15 PyPI packages were directly impacted.
- **Operational:** Potential for downstream malicious package releases (though none were confirmed before remediation for PyPI). Companies had portions of their SDK portfolios compromised across Python, Rust, JavaScript, and Go repositories.
- **Reputational:** Damage to trust within the open-source community regarding code security practices.
## Indicators of Compromise
- **Network indicators (defanged):** `bold-dhawan[.]45-139-104-115[.]plesk[.]page`
- **File indicators:** Malicious `.github/workflows/` files containing logic to read secrets and execute outbound `curl` traffic.
- **Behavioral indicators:** Outbound network traffic (POST requests) initiated by GitHub Actions workflows to untrusted external domains.
## Response Actions
- **Containment measures:** GitGuardian notified GitHub, leading to the disabling or reverting of malicious workflows across affected repositories. Source code changes were reverted.
- **Eradication steps:** Maintainers of affected packages (npm, PyPI) were urged to revoke all leaked secrets immediately.
- **Recovery actions:** N/A noted, but implicitly required secret rotation across all compromised platforms.
## Lessons Learned
- Compromised source code repositories, even when using CI/CD automation like GitHub Actions, pose a severe supply chain risk if maintainer accounts are breached.
- GitHub Actions secrets, intended for secure automation, can be trivially exploited if workflows are modified by unauthorized users via account compromise.
- Automated secret scanning (like GitGuardian's) is crucial for detecting the injection of malicious code referencing or attempting to exfiltrate secrets.
## Recommendations
- Implement Multi-Factor Authentication (MFA) robustly across all GitHub accounts, especially for repository maintainers.
- Review and restrict which actions can be triggered by external events (like `push`) in sensitive repositories, or minimize the secrets available to non-production workflows.
- Regularly audit source code for unauthorized additions of workflow files, even if they appear benign initially.
- Immediately rotate all secrets identified, suspected, or potentially exposed across all package ecosystems (npm, PyPI, AWS, etc.).