Cybercriminals have intensified their exploitation of GitHub‘s trusted infrastructure, transforming the world’s largest code repository platform into a sophisticated weapon for software supply chain attacks. The Water Curse campaign, operating since at least March 2023, represents a financially motivated threat actor that has weaponized 76 GitHub accounts to deploy malware and hijack developer credentials through carefully coordinated attacks targeting multiple industry sectors.
Security researchers have identified this campaign’s multi-faceted approach, which blends traditional cybercrime with aggressive monetization efforts. The threat actors distribute various malicious tools through compromised repositories, including cryptocurrency wallet hacking utilities, OSINT scrapers, spamming bots, and credential stealing software. Their arsenal encompasses several dangerous malware families, including AsyncRAT, DeerStealer, Filch Stealer, LightPerlGirl, and SectopRAT, often deployed through sophisticated loaders like Hijack Loader to execute complex payloads. Organizations impacted by these attacks face average breach costs of $4.35 million.
The attackers employ particularly insidious methods by abusing GitHub Actions workflows within widely used repositories. They modify repository version tags to redirect users to malicious commits, thereafter injecting harmful scripts that execute within CI/CD pipelines. This technique exposes environment secrets directly in build logs, making sensitive credentials accessible to unauthorized parties. The exploitation of GitHub personal access tokens permits attackers to gain push access, allowing them to alter code and extract data through Telegram channels and public file-sharing platforms.
Attackers weaponize GitHub Actions workflows, injecting malicious scripts into CI/CD pipelines to expose sensitive environment secrets in build logs.
The campaign’s most significant breach occurred in March 2025, when attackers compromised the tj-actions/changed-files repository, affecting over 23,000 dependent repositories. This attack caused CI/CD pipeline secrets to be dumped into publicly accessible logs, creating widespread credential exposure risks. Security researchers quickly detected the incident, prompting coordinated advisories and GitHub’s immediate removal of malicious commits. The vulnerability was thereafter tracked as CVE-2025-30066. Security analysts estimate a 74.591% probability of successful exploitation within thirty days, positioning this vulnerability in the 99th percentile for exploitation likelihood. The compromised code included a Node.js function that executed a Python script specifically designed to expose sensitive CI/CD secrets in build logs.
Organizations face substantial risks from these supply chain attacks, as exposed secrets can facilitate credential theft, unauthorized access, and cascading downstream compromises. The campaign’s indiscriminate targeting undermines trust in open-source software development processes.
Security experts recommend immediate review and rotation of all exposed credentials, implementation of strict access controls for GitHub tokens, and improved monitoring of CI/CD pipeline activities to mitigate future incidents.
