Fwd: Important Information about your GitHub Account

[Julien Dubois]

Hello everyone,

I’m sending this to the public mailing list as it’s too late anyway !

We’ll need to rotate our tokens, etc.

I’ll do my best to do this ASAP

Julien Dubois

---------- Message transféré ---------

Hi jdubois,

We are writing to let you know that on March 31, 2026, a threat actor published compromised versions of the axios npm package (versions 1.14.1 and 0.30.4) to the npm registry. npm quickly removed the compromised package. GitHub conducted an investigation into the axios compromise and during that investigation, we discovered that one or more repositories associated with your account ran a GitHub Actions workflow that installed the compromised package, and that the malicious code successfully communicated with an external command-and-control server. We recommend you treat any secrets available to the affected workflow runs as potentially compromised and rotate them immediately.

The sources of data used to derive this information are not available to customers. GitHub does not expose per-runner network telemetry for workflow runs, and can’t query such telemetry, when available, on behalf of individual customers. GitHub does not commit to being able to perform notifications for similar events in the future. We are sharing this information because the specific circumstances of this case allowed us to perform this analysis as part of our own investigation, and when possible we share such information with customers. GitHub is conducting a thorough investigation which remains ongoing.

Please note, this is not a notification of a security incident as defined in the GitHub Data Protection Agreement or a privacy incident as defined in any applicable privacy or security regulations. GitHub is providing this notification for your awareness as a one-time courtesy. Please see the "What you can do" section below for our recommendations about what actions you may wish to take.

* What happened? *

On March 31, 2026, a threat actor published malicious versions of the popular axios npm package (1.14.1 and 0.30.4) to the npm registry after compromising the package maintainer's account. The malicious versions contained a dependency that executed a post-install script designed to connect to an attacker-controlled server at 142.11.206.73 on port 8000. The compromised versions were available for approximately three hours before npm removed them. Microsoft has published a detailed analysis of the compromise: https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/

GitHub investigated the axios compromise and its potential impact on our platform. During that investigation, we identified that GitHub Actions workflow runs associated with repositories linked to your account installed the compromised package during this window. Our network telemetry confirms that the malicious code in those workflow runs successfully exchanged data with the attacker's command-and-control server. This means secrets and environment variables available to those workflow runs may have been exfiltrated.

* What information was involved? *

The malicious package had access to the GitHub Actions runner environment during the affected workflow runs, which may have included:

- Secrets and environment variables configured for the workflow
- The GITHUB_TOKEN issued for the workflow run
- Any credentials, API keys, or tokens passed to the workflow

* What GitHub is doing *

GitHub removed the compromised axios versions from the npm registry within hours of detection and suspended the compromised maintainer account. We published a GitHub Security Advisory (https://github.com/advisories/GHSA-fw8c-xr5c-95f9) and Dependabot alerts to notify all users of the malicious package versions. We are also directly notifying account holders like you where our telemetry indicates the malicious code executed in your environment and communicated with the attacker's server.

* What you can do *

We strongly recommend rotating all secrets that were available to the affected workflow runs listed below. This includes repository secrets, organization secrets, environment secrets, and any credentials passed via environment variables. To determine which secrets were in scope, review the workflow run logs linked in the appendix below. Please see https://docs.github.com/en/actions/how-tos/monitor-workflows/use-workflow-run-logs for details on how to use the workflow run logs.

After rotating credentials, we recommend reviewing your audit logs for any unexpected actions taken using those credentials during and after the March 31 window.

Finally, ensure your workflows are not pulling a compromised version of axios. We recommend pinning dependencies to a specific commit SHA (https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) rather than a mutable version tag. If pinning to a version, use 1.8.4 or earlier, or 1.14.2+. Additionally, check for the auto-update persistence mechanism described in the MSRC blog linked above and remove it if present.

GitHub Support does not have any additional logs or details to share beyond the information included in this notification. We recommend reviewing any other available logging solutions you have available when conducting research. However, if you have remaining questions or concerns, feel free to reach out to GitHub Support through the following contact form:

https://support.github.com/contact?form%5Bsubject%5D=Re:Reference+GH-0384726-5026-a&tags=GH-0384726-5026-a

Thanks,
GitHub Security
<Reference # GH-0384726-5026-a>

* Affected repositories and workflow runs *

Repository: hipster-labs/jhipster-daily-builds
Window: 2026-03-31 02:53:41 UTC to 2026-03-31 02:54:59 UTC
Workflow run: https://github.com/hipster-labs/jhipster-daily-builds/actions/runs/23778146531

Repository: jhipster/generator-jhipster
Window: 2026-03-31 00:27:54 UTC to 2026-03-31 03:13:30 UTC
Workflow run: https://github.com/jhipster/generator-jhipster/actions/runs/23776956245
Workflow run: https://github.com/jhipster/generator-jhipster/actions/runs/23775433681
Workflow run: https://github.com/jhipster/generator-jhipster/actions/runs/23775433679
Workflow run: https://github.com/jhipster/generator-jhipster/actions/runs/23774470136
Workflow run: https://github.com/jhipster/generator-jhipster/actions/runs/23774338915
Workflow run: https://github.com/jhipster/generator-jhipster/actions/runs/23778453504
Workflow run: https://github.com/jhipster/generator-jhipster/actions/runs/23778453468
Workflow run: https://github.com/jhipster/generator-jhipster/actions/runs/23777525176
Workflow run: https://github.com/jhipster/generator-jhipster/actions/runs/23777525210

Repository: jhipster/generator-jhipster-ionic
Window: 2026-03-31 00:27:20 UTC to 2026-03-31 00:29:47 UTC
Workflow run: https://github.com/jhipster/generator-jhipster-ionic/actions/runs/23774369816

Repository: jhipster/generator-jhipster-quarkus
Window: 2026-03-31 00:37:28 UTC to 2026-03-31 00:43:00 UTC
Workflow run: https://github.com/jhipster/generator-jhipster-quarkus/actions/runs/23774684174

Repository: jhipster/jhipster-bom
Window: 2026-03-31 01:59:04 UTC to 2026-03-31 02:04:16 UTC
Workflow run: https://github.com/jhipster/jhipster-bom/actions/runs/23776770108

[Julien Dubois]

Update:

- I fixed the Docker Hub secret: that’s the most important one, 

  - I just have a doubt for JHipster Online, as it uses a different mechanism -> I think it’s Docker Hub which builds and deploy it, so it’s the other way around and it should be safe, but maybe I broke the publishing pipeline

- Sonar token: we need to rotate the token, but I’m not the owner so I can’t do anything. This isn’t critical as people can only hack our Sonar instance which has nothing really important -> there aren’t a lot of people who can generate this token, I’ll have a look

- NPM token and other specific credentials in JHipster Ionic and JHipster Quarkus: again, this isn’t me, I guess that’s Matt and/or Anthony, I’ll also look around

-> I’ll ping the relevant people over LinkedIn, I think this will be faster than this mailing list

Julien

[julien...@gmail.com]

The Sonar Token belongs to Daniel, he's on it: we're safe with this, anyway the attacker could only modify our quality gate, or delete the project... It's annoying but not a security risk for our users.

Update:

- I fixed the Docker Hub secret: that’s the most important one, 

  - I just have a doubt for JHipster Online, as it uses a different mechanism -> I think it’s Docker Hub which builds and deploy it, so it’s the other way around and it should be safe, but maybe I broke the publishing pipeline

- Sonar token: we need to rotate the token, but I’m not the owner so I can’t do anything. This isn’t critical as people can only hack our Sonar instance which has nothing really important -> there aren’t a lot of people who can generate this token, I’ll have a look

- NPM token and other specific credentials in JHipster Ionic and JHipster Quarkus: again, this isn’t me, I guess that’s Matt and/or Anthony, I’ll also look around

-> I’ll ping the relevant people over LinkedIn, I think this will be faster than this mailing list

Julien

[Frederik Hahne]

Are there any signs of suspicious activity on docker or npm?

 Best regards

Frederik 

--
You received this message because you are subscribed to the Google Groups "JHipster dev team" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jhipster-dev...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/jhipster-dev/cf35113c-63ef-44b1-97d4-2dae33798bdcn%40googlegroups.com.

[Julien Dubois]

For Docker: no, I have checked the logs, nothing happened since our last release.

For NPM, there’s a token which was used for Ionic and Quarkus, and I don’t know who it belongs to. That person may have a greater risk if his token can be used for other projects. We’re still trying to find out (not many people worked on those projects).

-> I have removed most write access to NPM except mine (easy: I have no tokens, so I’m sure I’m not at risk!) until we find out more.

Julien Dubois

[Anthony Viard]

I checked yesterday, and no releases have been done in Quarkus bp repository. I don’t think it is my token because I don’t any ones in my account. 

Is it yours Daniel Petisme?

Regarding GitHub, same I have no token defined in my account but I’m sure the variable defined in the repo is mine since I used it to publish to the sample app repo. Does GitHub delete tokens automatically after a period of non used ?

We may try it by doing a Quarkus release, pretty sure it will no work (at least for the sample app). 

Cheers,

Anthony 

Envoyé de mon iPhone

Le 4 avr. 2026 à 09:17, Julien Dubois <julien...@gmail.com> a écrit :



To view this discussion visit https://groups.google.com/d/msgid/jhipster-dev/CADNXADGTWT6bDU1t8KUA5rPWz9qxfAQ%2BudFARkU4Eo2egcAuCg%40mail.gmail.com.