GitHub Actions
-
Self-propagating npm supply-chain attack hits at least 187 packages in ‘Shai-Hulud’ worm
Security researchers warn of a self-propagating supply-chain attack on npm that has compromised at least 187 packages in a campaign dubbed ‘Shai-Hulud.’ The worm begins with the widely used @ctrl/tinycolor package and spreads to other maintainers’ packages, using a bundle.js payload that leverages TruffleHog to exfiltrate secrets and forge GitHub Actions workflows.
-
GhostAction: GitHub supply-chain attack exposes 3,325 secrets across hundreds of repositories
Researchers say a GitHub supply-chain campaign named GhostAction stole about 3,325 secrets across PyPI, npm, DockerHub, GitHub tokens, Cloudflare, and AWS keys, by compromising maintainer accounts to inject malicious GitHub Actions workflows that exfiltrate secrets to an attacker-controlled endpoint.
