What is a GitHub Actions supply chain attack?

It's when malicious workflows sneak into repos via PRs, granting attackers access like OIDC tokens to impersonate your project in cloud deploys.

How do I check if my repo has this MCP attack workflow?

Search for commit hash 34e114876b or action hashgraph-online/skill-publish@1c30734416d9b05948ccd7f4b3cf60baada87e9e in your .github/workflows.

Is Hashgraph Online behind the attack?

Strong links via sockpuppets and their action as payload, but no smoking gun—yet. Treat their tools as risky.

⚙️ DevOps & Platform Eng

Dissecting the GitHub Actions Attack That Infiltrated 250+ MCP Repositories

A single pull request seemed innocuous—until it revealed a sprawling GitHub Actions supply chain attack across 250+ repos. Attackers used sockpuppet accounts to escalate from awesome lists to token theft.

theAIcatchup Apr 08, 2026 3 min read

Diagram of GitHub Actions supply chain attack phases targeting MCP repositories

⚡ Key Takeaways

Attack spanned 250+ MCP repos in five phases, from awesome lists to OIDC token theft. 𝕏
Sockpuppet 'internet-dot' built credibility over months before striking. 𝕏
Audit workflows for hashgraph-online/skill-publish; mirrors SolarWinds tactics for AI era. 𝕏

Published by

theAIcatchup

Ship faster. Build smarter.

#GitHub Actions

Worth sharing?

Get the best Developer Tools stories of the week in your inbox — no noise, no spam.

Originally reported by dev.to

⚡ Key Takeaways

The 60-Second TL;DR

theAIcatchup

Share this article

Worth sharing?

Related Stories

SonarQube GitHub Actions: The Bulletproof Shield Every Repo Needs

What If Your CI Pipeline Was Half as Slow Overnight? One Dev's Docker Trick That Delivered

GitHub Pages in 2026: Free Jekyll Hosting That Actually Works – No Hype, Just Steps

Zero Dollars to Track Cattle Prices Forever: Git as a Temporal Database via GitHub Actions

Stay in the loop