ghostaction

GhostAction GitHub Actions campaign exfiltrates 3,325 secrets

GitGuardian disclosed on 2025-09-05 that an attacker had injected malicious workflow files named "Github Actions Security" into 817 repositories across 327 GitHub user accounts. The injected workflows enumerated specific secret variable names referenced by each repo's legitimate CI/CD pipelines and exfiltrated them via HTTP POST to `bold-dhawan.45-139-104-115.plesk.page` (45.139.104.115). 3,325 secrets were stolen, including PyPI and npm publishing tokens, DockerHub credentials, GitHub PATs, AWS access keys, database credentials, and Cloudflare API tokens. 24 downstream packages (9 npm, 15 PyPI) were left at immediate risk of follow-on supply-chain compromise via the stolen publishing credentials.