All news with #github tag

GPUGate campaign exploits Google Ads and GitHub mimicry

🔒 Arctic Wolf researchers uncovered a targeted campaign, GPUGate, that uses malicious GitHub Desktop installers promoted via Google Ads to distribute evasive malware. The attack leverages commit‑specific links and lookalike domains to mimic legitimate GitHub downloads and trick users, particularly IT personnel, into installing a large MSI payload. A GPU‑gated decryption routine keeps the malware dormant in virtualized or low‑power environments, while PowerShell execution with policy bypasses and scheduled‑task persistence provide elevated privileges and long‑term access.

GitHub Actions workflows abused in 'GhostAction' campaign

🔒 GitGuardian disclosed a campaign called "GhostAction" that tampers with GitHub Actions workflows to harvest and exfiltrate secrets to attacker-controlled domains. Attackers modified workflow files to enumerate repository secrets, hard-code them into malicious workflows, and forward credentials such as container registry and cloud provider keys. The researchers say 3,325 secrets from 327 users across 817 repositories were stolen, and they published IoCs while urging maintainers to review workflows, rotate exposed credentials, and tighten Actions controls.

Salesloft: GitHub Compromise Led to Drift OAuth Theft

🔒 Salesloft confirmed that a threat actor gained access to its GitHub account between March and June 2025, using that access to download repositories, add a guest user and create workflows. The attacker then moved into the Drift app environment, obtained OAuth tokens and used Drift integrations to access customers’ Salesforce instances and exfiltrate secrets. Affected customers include security vendors such as Tenable, Qualys, Palo Alto Networks, Cloudflare and Zscaler. Google Mandiant performed containment, rotated credentials and validated segmentation; the incident is now in forensic review.

GhostAction GitHub Supply Chain Attack Exposes 3,325 Secrets

🚨 A GitHub supply chain campaign dubbed GhostAction has exposed 3,325 secrets across multiple package ecosystems and repositories. GitGuardian says attackers abused compromised maintainer accounts to insert malicious GitHub Actions workflows that trigger on push or manual dispatch, read repository secrets, and exfiltrate them via HTTP POST to an external domain. Compromised credentials include PyPI, npm, DockerHub, Cloudflare, AWS keys and database credentials; vendors were notified and many repositories reverted the changes.

Salesloft March GitHub Breach Led to Salesforce Data Theft

🔒 Salesloft says attackers first breached its GitHub account in March, enabling the theft of Drift OAuth tokens later abused to access customer systems. The stolen tokens were used in widespread Salesforce data-theft operations disclosed in August, affecting multiple enterprise customers. Salesloft engaged Mandiant, rotated credentials, isolated Drift infrastructure, and restored integrations after validating containment.

GitHub Account Compromise Led to Salesloft Drift Breach

🔒 Salesloft says the breach tied to its Drift application began after a threat actor compromised its GitHub account. Google-owned Mandiant traced the actor, tracked as UNC6395, accessing the account from March through June 2025 and downloading repository content, adding a guest user and establishing workflows. Attackers then accessed Drift's AWS environment and obtained OAuth tokens used to reach customer data via integrations, prompting Salesloft to isolate Drift infrastructure and take the application offline on September 5, 2025. Salesloft recommends revoking API keys for third-party apps integrated with Drift, and Salesforce has restored most Salesloft integrations while keeping Drift disabled pending further remediation.

GPUGate: Malware Uses Google Ads and GitHub Redirects

🔒 Cybersecurity researchers have disclosed a sophisticated malvertising campaign that leverages paid search ads and manipulated GitHub commit URLs to redirect victims to attacker-controlled infrastructure. The first-stage dropper is a bloated 128 MB MSI that evades many online sandboxes and employs a GPU-gated decryption routine dubbed GPUGate, which aborts on systems lacking a real GPU or proper drivers. The campaign uses a lookalike domain (gitpage[.]app) and a VBScript-to-PowerShell chain that gains admin privileges, adds Microsoft Defender exclusions, establishes persistence, and stages secondary payloads for data theft.

GhostAction Campaign Steals 3,325 Secrets via GitHub Actions

🔍GitGuardian disclosed a GitHub Actions supply chain campaign named GhostAction that exfiltrated 3,325 secrets from 327 users across 817 repositories before being contained on September 5. Attackers injected malicious workflow files to harvest CI/CD tokens (including PYPI_API_TOKEN) and sent them via HTTP POST to an actor-controlled endpoint. GitGuardian coordinated with maintainers and registries to revert commits, set impacted packages to read-only, and notify vendors.

GhostAction Supply-Chain Attack Steals 3,325 Secrets

🔒 GitGuardian uncovered a widespread supply-chain campaign it named GhostAction after detecting suspicious activity in a FastUUID GitHub repository. A compromised maintainer pushed a malicious GitHub Actions workflow that harvested secrets, initially capturing a PyPI token, and further investigation revealed hundreds of similar commits across multiple repositories. In total 3,325 secrets were exfiltrated from 817 repositories belonging to 327 users, with DockerHub credentials, GitHub tokens and npm tokens among the most common. GitGuardian notified platform security teams and many affected projects have begun reverting malicious changes while investigations continue.

AI-powered Nx malware exposes 2,180 GitHub accounts

🔒 A backdoored NPM package published from the Nx repository delivered a post-install credential stealer named telemetry.js, which targeted Linux and macOS systems for GitHub and npm tokens, SSH keys, .env files and crypto wallets. The malware exfiltrated harvested secrets to public repositories named s1ngularity-repository. Attackers unusually used AI CLI tools (Claude, Q, Gemini) to run tuned LLM prompts for better credential harvesting. Nx and GitHub removed the packages, revoked tokens, and implemented 2FA, tokenless publishing and manual PR approvals.

Malicious npm Packages Use Ethereum to Deliver Malware

⚠️ ReversingLabs researchers uncovered a supply chain campaign that used Ethereum smart contracts to conceal URLs for malware delivered via rogue GitHub repositories and npm packages. The packages colortoolsv2 and mimelib2 were intentionally minimal and designed to be pulled as dependencies from fraudulent repositories posing as cryptocurrency trading bots. Attackers inflated commit histories with sockpuppet accounts and automated pushes to appear legitimate, then used on-chain storage to hide secondary payload locations and evade URL-scanning defenses.

Malicious npm Packages Use Ethereum Smart Contracts

🔒 Cybersecurity researchers discovered two malicious npm packages that use Ethereum smart contracts to hide commands and deliver downloader malware to compromised systems. The packages — colortoolsv2 (7 downloads) and mimelib2 (1 download) — were uploaded in July 2025 and removed from the registry. The campaign leveraged a network of GitHub repositories posing as crypto trading tools and is linked to a distribution-as-service operation called Stargazers Ghost Network. Developers are urged to scrutinize packages and maintainers beyond surface metrics before adopting libraries.

Supply-Chain Attack on npm Nx Steals Developer Credentials

🔒 A sophisticated supply-chain attack targeted the widely used Nx build-system packages on the npm registry, exposing developer credentials and sensitive files. According to a report from Wiz, attackers published malicious Nx versions on August 26, 2025 that harvested GitHub and npm tokens, SSH keys, environment variables and cryptocurrency wallets. The campaign uniquely abused installed AI CLI tools (for example, Claude and Gemini) by passing dangerous permission flags to exfiltrate file-system contents and perform reconnaissance, then uploaded roughly 20,000 files to attacker-controlled public repositories. Organizations should remove affected package versions, rotate exposed credentials and inspect developer workstations and CI/CD pipelines for persistence.

Anthropic Tests Web Version of Claude Code for Developers

🛠️ Anthropic is rolling out a research preview of a web-based Claude Code, bringing its terminal-focused coding assistant into the browser at Claude.ai/code. The web preview requires installing the GitHub Claude app on a repository and committing a "Claude Dispatch" GitHub workflow file before use, with optional email and web notifications for updates. Claude Code—already available in terminals and integrated editors under paid plans—can inspect codebases to help fix bugs, test features, simplify Git tasks, and automate workflows. It remains unclear whether the terminal and web versions can access or share the same repository content or usage data.

Nx npm Package Hijacked to Exfiltrate Data via AI Toolchain

🛡️ Malicious updates to the Nx npm package were published on 26 August, briefly delivering AI-assisted data‑stealing malware to developer systems. The infected releases injected crafted prompts into local AI CLIs (Anthropic’s Claude, Google Gemini, Amazon Q) to locate GitHub/npm tokens, SSH keys, .env secrets and cryptocurrency wallets, then encoded and uploaded the harvest by creating public repositories under victims' accounts. StepSecurity says eight compromised versions were live for five hours and 20 minutes and that attackers subsequently weaponized stolen GitHub CLI OAuth tokens to expose and fork private organization repositories. Recommended mitigation includes revoking tokens and SSH/GPG keys, making exposed repos private, disconnecting affected users and following a full remediation plan.

Supply-Chain Attacks on Nx and React Expose Dev Credentials

🔒 A coordinated supply-chain campaign compromised multiple npm packages — most notably the Nx build system — and used post-install scripts to harvest developer assets across enterprise environments. Wiz found the malware weaponized local AI CLI tools to exfiltrate filesystem contents, tokens, SSH keys, and environment variables. Separately, JFrog uncovered obfuscated malicious React packages designed to steal Chrome data. Vendors removed the packages and recommend rotating credentials, removing affected versions, and auditing developer and CI systems.

Nx Build Supply-Chain Attack: Trojanized Packages Detected

🔐 The Nx package ecosystem was trojanized via a malicious post-install script, telemetry.js, which exfiltrated developer secrets from macOS and *nix environments. Stolen items included npm and GitHub tokens, SSH keys, crypto wallets, API keys and .env contents, uploaded to public GitHub repositories. Immediate actions include auditing Nx package versions, removing affected node_modules, rotating all potentially exposed secrets and monitoring repositories and Actions for misuse.

Malicious Nx npm Packages in 's1ngularity' Supply Chain

🔒 The maintainers of nx warned of a supply-chain compromise that allowed attackers to publish malicious versions of the npm package and several supporting plugins that gathered credentials. Rogue postinstall scripts scanned file systems, harvested GitHub, cloud and AI credentials, and exfiltrated them as Base64 to public GitHub repositories named 's1ngularity-repository' under victim accounts. Security firms reported 2,349 distinct secrets leaked; maintainers rotated tokens, removed the malicious versions, and urged immediate credential rotation and system cleanup.

Hook Android Trojan Evolves with Ransomware Features

🛡️Researchers at Zimperium zLabs have detected a new variant of the Hook Android banking Trojan that expands beyond banking fraud to include ransomware-style overlays and advanced surveillance tools. The sample supports 107 remote commands, 38 of which are newly introduced, enabling fake NFC prompts, lock-screen bypasses, transparent gesture-capturing overlays and real-time screen streaming. Operators are distributing malicious APKs via GitHub repositories and continue to exploit Android Accessibility Services for automated fraud and persistent control. Industry observers warn the campaign is global and rapidly escalating, increasing risks to both enterprises and individual users.

HOOK Android Trojan Adds Ransomware Overlays, Expands

🔒 Cybersecurity researchers at Zimperium zLabs have identified a new HOOK Android banking trojan variant that deploys full-screen ransomware-style overlays to extort victims. The overlay is remotely triggered via the command "ransome" and displays a warning, wallet address and amount, and can be dismissed by the attacker with "delete_ransome". An offshoot of ERMAC, the latest HOOK builds on banking malware techniques and now supports 107 remote commands, introducing transparent gesture-capture overlays, fake NFC and payment screens, and deceptive unlock prompts to harvest credentials and crypto recovery phrases.