Fwd: Important Information about your GitHub Account

[Lee Calcote]

Sent from my mobile

Begin forwarded message:

From: 'GitHub Security' via meshery-ci <c...@meshery.io>
Date: April 3, 2026 at 12:35:12 PM CDT
To: meshery-ci <c...@meshery.io>
Subject: Important Information about your GitHub Account
Reply-To: GitHub Security <no-r...@github.com>

Hi meshery-ci,

We are writing to let you know that on March 31, 2026, a threat actor published compromised versions of the axios npm package (versions 1.14.1 and 0.30.4) to the npm registry. npm quickly removed the compromised package. GitHub conducted an investigation into the axios compromise and during that investigation, we discovered that one or more repositories associated with your account ran a GitHub Actions workflow that installed the compromised package, and that the malicious code successfully communicated with an external command-and-control server. We recommend you treat any secrets available to the affected workflow runs as potentially compromised and rotate them immediately.

The sources of data used to derive this information are not available to customers. GitHub does not expose per-runner network telemetry for workflow runs, and can’t query such telemetry, when available, on behalf of individual customers. GitHub does not commit to being able to perform notifications for similar events in the future. We are sharing this information because the specific circumstances of this case allowed us to perform this analysis as part of our own investigation, and when possible we share such information with customers. GitHub is conducting a thorough investigation which remains ongoing.

Please note, this is not a notification of a security incident as defined in the GitHub Data Protection Agreement or a privacy incident as defined in any applicable privacy or security regulations. GitHub is providing this notification for your awareness as a one-time courtesy. Please see the "What you can do" section below for our recommendations about what actions you may wish to take.

* What happened? *

On March 31, 2026, a threat actor published malicious versions of the popular axios npm package (1.14.1 and 0.30.4) to the npm registry after compromising the package maintainer's account. The malicious versions contained a dependency that executed a post-install script designed to connect to an attacker-controlled server at 142.11.206.73 on port 8000. The compromised versions were available for approximately three hours before npm removed them. Microsoft has published a detailed analysis of the compromise: https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/

GitHub investigated the axios compromise and its potential impact on our platform. During that investigation, we identified that GitHub Actions workflow runs associated with repositories linked to your account installed the compromised package during this window. Our network telemetry confirms that the malicious code in those workflow runs successfully exchanged data with the attacker's command-and-control server. This means secrets and environment variables available to those workflow runs may have been exfiltrated.

* What information was involved? *

The malicious package had access to the GitHub Actions runner environment during the affected workflow runs, which may have included:

- Secrets and environment variables configured for the workflow
- The GITHUB_TOKEN issued for the workflow run
- Any credentials, API keys, or tokens passed to the workflow

* What GitHub is doing *

GitHub removed the compromised axios versions from the npm registry within hours of detection and suspended the compromised maintainer account. We published a GitHub Security Advisory (https://github.com/advisories/GHSA-fw8c-xr5c-95f9) and Dependabot alerts to notify all users of the malicious package versions. We are also directly notifying account holders like you where our telemetry indicates the malicious code executed in your environment and communicated with the attacker's server.

* What you can do *

We strongly recommend rotating all secrets that were available to the affected workflow runs listed below. This includes repository secrets, organization secrets, environment secrets, and any credentials passed via environment variables. To determine which secrets were in scope, review the workflow run logs linked in the appendix below. Please see https://docs.github.com/en/actions/how-tos/monitor-workflows/use-workflow-run-logs for details on how to use the workflow run logs.

After rotating credentials, we recommend reviewing your audit logs for any unexpected actions taken using those credentials during and after the March 31 window.

Finally, ensure your workflows are not pulling a compromised version of axios. We recommend pinning dependencies to a specific commit SHA (https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) rather than a mutable version tag. If pinning to a version, use 1.8.4 or earlier, or 1.14.2+. Additionally, check for the auto-update persistence mechanism described in the MSRC blog linked above and remove it if present.

GitHub Support does not have any additional logs or details to share beyond the information included in this notification. We recommend reviewing any other available logging solutions you have available when conducting research. However, if you have remaining questions or concerns, feel free to reach out to GitHub Support through the following contact form:

https://support.github.com/contact?form%5Bsubject%5D=Re:Reference+GH-0384726-5026-a&tags=GH-0384726-5026-a

Thanks,
GitHub Security
<Reference # GH-0384726-5026-a>

* Affected repositories and workflow runs *

Repository: meshery/meshery.io
Window: 2026-03-31 01:06:08 UTC to 2026-03-31 01:06:08 UTC
Workflow run: https://github.com/meshery/meshery.io/actions/runs/23775493164

--
You received this message because you are subscribed to the Google Groups "meshery-ci" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ci+unsu...@meshery.io.
To view this discussion visit https://groups.google.com/a/meshery.io/d/msgid/ci/69cffa4e72b5c_2b839911081262c9%40github-lowworker-5f73a9d.va3-iad.github.net.mail.
For more options, visit https://groups.google.com/a/meshery.io/d/optout.

[Sangram Rath]

Looks like we have to regenerate GITHUB_TOKEN and MESHERY_TOKEN.

--
Visit and engage with the Meshery community in the forum at http://discuss.meshery.io or in Slack at https://slack.meshery.io.
---
You received this message because you are subscribed to the Google Groups "Meshery Maintainers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to maintainers...@meshery.io.
To view this discussion visit https://groups.google.com/a/meshery.io/d/msgid/maintainers/3EFB4109-412E-45FA-8940-32B4B65C92BF%40layer5.io.

--

Thanks,
Sangram Rath