- GhostAction attack stole 3,325 secrets from 327 GitHub accounts
- GitGuardian helped shut it down and alerted affected projects
- A separate NPM attack hit 2,000 accounts but was unrelated
Thousands of secrets such as PyPI and AWS keys, GitHub tokens, and more, were stolen recently during a supply-chain attack against GitHub, dubbed ‘GhostAction’. The attack was spotted by security researchers GitGuardian, who notified GitHub and had it shut down.
GitGuardian’s researchers first spotted the attack when they were notified of a GitHub project called FastUUID being compromised. The project’s maintainer account was evidently broken into and used to publish a malicious Actions workflow called “Add Github Actions Security workflow”.
It was designed to steal secrets, including those from PyPI, npm, DockerHub, GitHub, Cloudflare, and AWS.
Servers shut down
The researchers reported their findings to PyPI and the project was moved to a read-only state. Soon after, the legitimate account owner regained access and withdrew the malicious commit.
However, since the attacker did not react in the next couple of days, GitGuardian’s researchers concluded that they were most likely too busy compromising other projects, and they were right. A deeper investigation uncovered 327 compromised accounts, resulting in 3,325 leaked secrets.
“Following our impact assessment, we began alerting affected users and projects by creating issues in every compromised repository,” GitGuardian explained in the report. “Among 817 affected repositories, 100 had already reverted the malicious changes. We successfully created issues for 573 of the remaining 717 projects—the others were either deleted or had disabled issues.”
Soon after GhostAction was discovered, the server to which the secrets were being exfiltrated stopped resolving, meaning the campaign was successfully disrupted.
GitGuardian was also alerted to s1ngularity, an NPM supply chain attack that compromised more than 2,000 GitHub accounts and resulted in thousands of account tokens and repository secrets being leaked. Since both attacks happened at roughly the same time, they speculated that it could have actually been all part of the same campaign. However, the investigation determined that these were two separate incidents:
“From this initial investigation, we found no intersection between those users and the recent S1ngularity attack campaign’s victims. Those two incidents are likely unrelated,” they concluded.
Via BleepingComputer
You might also like
https://cdn.mos.cms.futurecdn.net/2viAsX89eJReYQEQ3i3SwH.jpg
Source link
