More than 320 GitHub users had their accounts hacked and used to push a malicious GitHub action onto their projects that stole secrets from CI/CD pipelines.
GitGuardian says the attackers compromised over 810 GitHub repos and stole more than 3,300 secrets.
The GhostAction Campaign: 3,325 Secrets Stolen Through Compromised GitHub Workflows
On September 5, 2025, GitGuardian discovered GhostAction, a massive supply chain attack affecting 327 GitHub users across 817 repositories. Attackers injected malicious workflows that exfiltrated 3,325 secrets, including PyPI, npm, and DockerHub tokens via HTTP POST requests to a remote endpoint.
GitGuardian Blog - Take Control of Your Secrets Security (blog.gitguardian.com)
