Critical Updates: GitHub Supply-Chain Attack – Sept 2025

What Happened

A new campaign, nicknamed GhostAction, was discovered in early September 2025 targeting GitHub repositories. Attackers managed to compromise maintainer accounts and insert malicious GitHub Actions workflows into affected projects.

These workflows were designed to capture sensitive secrets stored in CI/CD pipelines, such as tokens and credentials used for publishing to package registries or accessing cloud services.

Impact

• Around 300+ repositories were impacted.
• Thousands of secrets, including API keys and tokens, were at risk of being exposed.
• The stolen credentials could potentially be misused for publishing malicious packages or accessing developer infrastructure.

Why It Matters

This incident shows how attackers are moving beyond packages themselves and into the build pipelines that create and distribute them. Even trusted projects can become a risk if their workflows are compromised.

How to Stay Safe

• Review your repository workflows and remove anything unexpected.
• Rotate any exposed or potentially exposed secrets.
• Use GitHub’s security alerts and enable 2FA on maintainer accounts.
• Consider third-party tools that can detect unusual workflow activity.

Final Thoughts

The GhostAction incident is a reminder that supply-chain security extends to every step — from source code to CI/CD workflows. Developers should stay vigilant, audit their pipelines regularly, and adopt stronger authentication and secret management practices.

References

• GitGuardian – GhostAction Campaign Report (🔗 LINK)
• CSO Online – GhostAction Campaign Steals 3,325 Secrets (🔗 LINK)
• TechRadar – GitHub Supply Chain Attack Sees Thousands of Tokens Stolen (🔗 LINK)