A massive supply chain attack called "GhostAction" has compromised 327 GitHub users across 817 repositories, stealing over 3,325 secrets including DockerHub credentials, GitHub tokens, and npm tokens. GitGuardian discovered the attack on September 5 when investigating suspicious activity in the FastUUID project repository.
The attack began with a compromised maintainer pushing malicious GitHub action workflow files designed to steal secrets. While FastUUID wasn't the main target, investigators uncovered hundreds of similar malicious commits across multiple repositories, all connected to the same threat actor.
Several companies had their entire SDK portfolios compromised, affecting Python, Rust, JavaScript, and Go repositories simultaneously. GitGuardian notified affected users immediately, with 100 repositories already reverting the malicious changes, though hundreds remain at risk.
Source: Infosecurity Magazine