Supply Chain Attack: Hashgraph Online Deployed Malicious GitHub Actions Across 250+ MCP Repositories

Summary

Security researcher ticktockbent uncovered a sophisticated five-phase supply chain attack targeting over 250 repositories in the Model Context Protocol (MCP) ecosystem. The campaign, orchestrated by a single organization (Hashgraph Online) using 64+ sockpuppet accounts, began in late March 2026 and included malicious GitHub Actions workflows designed to exfiltrate GitHub OIDC tokens to third-party servers. The attack masqueraded as legitimate skill validation tools, with the malicious action automatically minting signed JWTs and uploading them to hol.org during every push and pull request. The initial compromise vector involved seeding awesome-lists and plugin registries with entries for Hashgraph Online tools, establishing credibility before distributing the weaponized workflow across the broader developer community.

• MCP repositories and developers using Hashgraph Online tools were compromised without awareness, as the malicious actions were hidden in seemingly innocuous workflow additions

Editorial Opinion

This attack represents a particularly sophisticated abuse of trust in open-source contribution workflows and GitHub's automation infrastructure. By starting with high-visibility list contributions and gradually establishing organizational credibility through legitimate-looking bug fixes and documentation, the threat actors created plausible deniability and social proof before deploying their payload. The incident highlights the urgent need for stricter controls around OIDC token issuance, repository security policies that require explicit approval for new third-party actions, and community verification mechanisms for widely-used tools in emerging ecosystems like MCP.