The GhostAction Campaign: 3,325 Secrets Stolen Through Compromised GitHub Workflows. On September 5, 2025, GitGuardian discovered GhostAction, a massive supply chain attack affecting 327 GitHub users across 817 repositories. Attackers injected malicious workflows that exfiltrated 3,325 secrets, including PyPI, npm, and DockerHub tokens via HTTP POST requests to a remote endpoint. As a security researcher at GitGuardian, Gaetan is pioneering innovations in secret detection. He uses his offensive security and Red Team background to improve our approach to cybersecurity. Guillaume is a Cybersecurity Researcher at GitGuardian. He holds a PhD in networking. He likes looking at data and crafting packets. He co-maintains Scapy. And he still remembers what AT+MS=V34 means!. Third-party company: GitHub Workflows.