Cyber-Attack Campaign Ghostaction Targets Github Workflows - Arabian Post

(MENAFN- The Arabian Post) decoding="async" alt="" border="0" width="320" data-original-height="667" data-original-width="1000" src="https://ciso2ciso.com/wp-content/uploads/2025/09/184295-ghostaction-attack-steals-3325-secrets-from-github-projects-sourcehackread-com.jpg" onerror="this.onerror=null;this.src='https://thearabianpost.com/assets/aparab-news-post.jpg?v3';" />

Security investigators uncovered a sweeping campaign named GhostAction supply chain campaign that compromised 327 GitHub user accounts across 817 repositories on 5 September 2025. Attackers inserted deceptive workflow files, disguised as security enhancements, into projects-including the open-source FastUUID library-extracting and exfiltrating 3,325 secrets such as PyPI, npm and DockerHub tokens to an external server.

The campaign began when GitGuardian noted a suspicious commit on 2 September by the GitHub user Grommash9. The change, titled“Add Github Actions Security workflow”, embedded a workflow that captured PyPI API tokens and sent them to a specified HTTP endpoint. Although the workflow was executed, no malicious package uploads were detected in the FastUUID project during the compromised timeframe. By midday on 5 September, PyPI placed the project into read-only mode, and the malicious commit was promptly reverted.

Further analysis revealed that this tactic was systematic: attackers inspected legitimate CI/CD pipelines within targeted repositories to identify secret names, then crafted tailored malicious workflows to capture credentials on push or manual trigger. In total, more than 3,300 secrets-spanning DockerHub credentials, personal access tokens, npm authentication tokens, PyPI keys, AWS credentials, database logins, and Cloudflare API tokens-were stolen across over eight hundred repositories.

This breach exposed a critical weakness in the current CI/CD security model: the assumption that automated workflows are inherently benign. The GhostAction supply chain campaign underscores how trusted automation can be weaponised to harvest sensitive credentials undetected.

Developers and organisations need to urgently enforce stricter controls over GitHub Actions. Measures such as mandatory code reviews for workflow changes, branch protection rules, automated secret scanning and frequent rotation of credentials are vital to mitigate such threats.

See also AI Tool Flags Over 1,000 Dubious Scientific Journals

Notice an issue? Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com . We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.

MENAFN08092025000152002308ID1110032727