GhostAction Supply Chain Attack Steals 3,000+ Secrets from GitHub Repositories

Massive 'GhostAction' attack hits 327 GitHub users, stealing over 3,325 secrets from 817 repositories, compromising SDKs across multiple languages.

By Content Team

Dec 26, 2025

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

A massive supply chain attack called "GhostAction" has compromised 327 GitHub users across 817 repositories, stealing over 3,325 secrets including DockerHub credentials, GitHub tokens, and npm tokens. GitGuardian discovered the attack on September 5 when investigating suspicious activity in the FastUUID project repository.

The attack began with a compromised maintainer pushing malicious GitHub action workflow files designed to steal secrets. While FastUUID wasn't the main target, investigators uncovered hundreds of similar malicious commits across multiple repositories, all connected to the same threat actor.

Several companies had their entire SDK portfolios compromised, affecting Python, Rust, JavaScript, and Go repositories simultaneously. GitGuardian notified affected users immediately, with 100 repositories already reverting the malicious changes, though hundreds remain at risk.

Source: Infosecurity Magazine

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Chinese Hackers Target Asian Organizations With Sophisticated PeckBirdy Malware

Jan 30, 2026

How a Coupang Data Breach Became a US-South Korea Diplomatic Crisis

Apr 30, 2026

Hackers Exploit Google Tasks for Massive Phishing Campaign Targeting 3,000 Organizations

Jan 3, 2026

Victorian Teacher's Identity Stolen After Submitting Rental Applications Online

Feb 8, 2026