- Ghostaction Attack stole 3,325 secrets from 327 GitHub accounts
- Gitguardian helped shut it down and warned affected projects
- A separate NPM attack hit 2,000 accounts but was not related
Thousands of secrets such as Pypi and AWS KEYS, GitHub tokens and more were recently stolen during a supply chain attack against GitHub, called ‘Ghostaction’. The attack was discovered by security scientists Gitguardian, who informed GitHub and got it closed.
Gitguardian’s researchers first discovered the attack when they were notified of a GitHub project called FastUid, which was compromised. The project’s maintenance account was evidently divided and used to publish a malicious action work called “Add Github Actions Security Workflow”.
It was designed to steal secrets, including those from Pypi, NPM, Dockerhub, Github, Cloudflare and AWS.
Servers shut down
The researchers reported their findings to Pypi and the project was moved to a write -protected state. Shortly after, the legitimate account owner regained access and withdrew the malicious commitment.
However, when the striker did not respond in the next few days, Gitguardian’s researchers concluded that they were probably too busy compromising other projects and they were right. A deeper study revealed 327 compromised accounts, resulting in 3,325 leaked secrets.
“After our impact assessment, we began to warn the affected users and projects by creating problems in any compromised archive,” Gitguardian explained in the report. “Among 817 affected storage places, 100 had already turned the malicious changes. We successfully created problems for 573 of the remaining 717 projects – the others were either deleted or had disabled problems.”
Shortly after Ghostaction was discovered, the server stopped the secrets of exfiltrated to solve, which means the campaign was disturbed.
Gitguardian was also warned of s1ngularity, an NPM supply chain attack that compromised more than 2,000 GitHub accounts and resulted in thousands of account gock and deposit secrets leaking. When both attacks happened at about the same time, they speculated that it could actually have been part of the same campaign. However, the study determined that this was two separate events:
“From this initial study we found no intersection between these users and the recent S1ngularity attack campaign. These two events are probably not related,” they concluded.
Via Bleeping computer
