Malware

GhostAction

GhostAction is a large-scale software supply chain attack on GitHub. According to the provided reporting, it was discovered after suspicious activity in the FastUUID project on September 2. The attackers compromised maintainer accounts and injected a malicious GitHub Actions workflow to harvest and exfiltrate secrets from repositories. The campaign exposed more than 3,300 secrets, including PyPI, npm, DockerHub, GitHub tokens, Cloudflare API keys, AWS access keys, and database credentials. Researchers identified at least 817 repositories with similar malicious commits, all exfiltrating data to the same endpoint, and reported impacts across at least nine npm packages and 15 PyPI packages. By September 5, researchers had notified GitHub, npm, and PyPI and filed issues across 573 impacted repositories. The content also notes that researchers believe GhostAction is separate from the earlier s1ngularity GitHub account attack. No specific threat actor attribution is provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

INDICATORS OF COMPROMISE

IOCs tracked for this family

9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

6 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other

3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app10 months ago

ip.v4●●●●●●●●●●●●View more in app10 months ago

domain●●●●●●●●●●●●View more in app10 months ago

uri●●●●●●●●●●●●View more in app10 months ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

bleeping computerNews

Jan 26, 2026

Hackers can bypass npm’s Shai-Hulud defenses via Git dependencies

Named supply-chain incident affecting the JavaScript/npm ecosystem (no further technical details provided in the content).

sentinelone blogNews

Sep 12, 2025

The Good, the Bad and the Ugly in Cybersecurity – Week 37

Malicious GitHub Actions workflow used in a supply chain attack to exfiltrate secrets and credentials from compromised repositories and projects.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching9

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.