Investigators later found similar malicious workflows in at least five public repository and estimated ten private people. The attack was highly adaptive, with container registry credentials to cloud provider keys target environment-specific secrets.
Researchers said in the blog, “The attack pattern remained in line with all the projects. The attacker first calculated the mystery with legitimate workflow files, then these secret names hardcoded in malicious workflows.” Ghostation used thousands of sensitive tokens, which could be used to tamper with package, access to unauthorized infrastructure, or further supply chain.
The danger contained within days
The Gitguardian’s security team quickly responded after finding out, and the fastuced package was set to read by the PyPI administrators within minutes. The malicious committe was returned shortly after. Gitguardian informed the maintenance of the affected repository, successfully approached 573 projects, while Github, NPM, and the PyPI security teams also alerted the misuse of misuse.
