THREATNOIR
Subscribe
Back to Feed
Supply ChainApr 29, 2026

Your YAML files hold more credentials than most production servers. The GhostAction campaign las...

GhostAction campaign stole 3,325 secrets from 817 GitHub repos via YAML misconfiguration.

Read at source

Summary

The GhostAction campaign exploited YAML file misconfigurations in GitHub repositories to steal over 3,300 secrets from 817 repos in September. A follow-up campaign, HackerBot-Claw, emerged in February targeting pull_request_target misconfigurations across public repositories. These attacks highlight the risk of storing credentials in configuration files and the vulnerability of open-source supply chains.

Entities

GhostAction (campaign)HackerBot-Claw (campaign)GitHub (technology)YAML (technology)