GitGuardian has disclosed a new software supply chain attack campaign, dubbed GhostAction, that exfiltrated thousands of sensitive credentials before being detected and contained on September 5.
The attackers manipulated GitHub Actions workflows, the automated processes defined in a GitHub repository in response to specific events, to steal 3325 secrets from 327 users across 817 repositories.
“GitGuardian security research was internally alerted of the potential compromise of a GitHub repository associated with the FastUUID project,” GitGuardian security researchers Gaetan Ferry and Guillaume Valadon said in a blog post. “Investigations found that a malicious GitHub workflow file had been injected into the project.” The compromised user pushed identical malicious commits to other public and private repositories.
The stolen credentials span PyPI, npm, DockerHub, GitHub tokens, and more — delivered through HTTP POSTs to an actor-controlled endpoint.
Intercepting CI/CD tokens
The GhostAction campaign surfaced in the Python project FastUUID, where a contributor under the pseudonym ‘Grommash9’ introduced a workflow modification on September 2. The change contained code that extracted sensitive tokens, such as the PYPI_API_TOKEN–and transmitted them via HTTP POST requests to an attacker-controlled domain.
“While this token should have allowed the actor to compromise the FastUUID package on PyPI, we found no evidence of malicious package releases during the compromise window,” the researchers said, adding that the attacker’s inaction after initial compromise suggested FASTUUID was not the primary target.
Investigators later found similar malicious workflows across at least five public repositories and an estimated ten private ones. The attack was highly adaptive, targeting environment-specific secrets ranging from container registry credentials to cloud provider keys.
“The attack pattern remained consistent across all projects. The attacker first enumerated secrets from legitimate workflow files, then hardcoded these secret names into malicious workflows,” researchers added in the blog. GhostAction exfiltrated thousands of sensitive tokens that could have been used for package tampering, unauthorized infrastructure access, or further supply chain compromises.
Threat contained within days
GitGuardian’s security team responded quickly after detection, and the FastUUID package was set to read-only by PyPI administrators within minutes. The malicious commit was reverted shortly afterward. GitGuardian notified maintainers of the affected repositories, successfully contacting 573 projects, while also alerting GitHub, npm, and PyPI security teams to monitor for abuse.
Although no malicious packages have yet been published to official registries, GitGuardian reported that some packages are potentially still at risk. “From our initial investigations, so far, 9 npm and 15 PyPI packages are at risk of compromise in the next hours or days,” the researchers said.
The blog shared a list of indicators of compromise, including network and GitHub Workflow indicators. For additional protection, the researchers emphasized the importance of reviewing repository workflows, rotating exposed credentials, and adopting stricter controls for GitHub Actions to prevent similar incidents in the future.
Package ecosystems like npm and PyPI remain frequent targets due to their popularity and broad reach within the developer community. Beyond publishing malicious packages directly, like the recent npm reconnaissance campaign, attackers have also employed techniques such as typosquatting-creating look-alike packages–or even exploiting AI-hallucinated dependencies to trick developers into installing compromised code.