More than 20,000 organizations may be at risk following a supply chain attack affecting tj-actions/changed-files GitHub Action.
GitHub Actions is a continuous integration and continuous delivery (CI/CD) service that enables developers to automate software builds and tests. Workflows are triggered by specific events, for example when new code is committed to the repository.
Used in more than 23,000 repositories, tj-actions/changed-files is a GitHub Action to retrieve all files and directories.
On Friday, a malicious commit in the Action was discovered by researchers at StepSecurity, whereby attackers modified its code and retroactively updated multiple version tags to reference the malicious commit.
"The compromised Action prints CI/CD secrets in GitHub Actions build logs," warned StepSecurity.
"If the workflow logs are publicly accessible (such as in public repositories), anyone could potentially read these logs and obtain exposed secrets. There is no evidence that the leaked secrets were exfiltrated to any remote network destination."
As a result, the compromised Action now executes a malicious Python script that dumps CI/CD secrets, impacting thousands of CI pipelines.
"This CVE impacts public GitHub repositories with GitHub Actions enabled. All versions were impacted," said Dimitri Stiliadis, CTO and co-founder of Endor Labs.
"For organizations that build software, they will likely need to reconfigure their pipelines if they are using the compromised Action. The attack shouldn’t generally cause outages for customers, but it could block organizations from making other changes."
Attackers may now attempt to compromise the software supply chain for other open source libraries, binaries, and artifacts created with the Action, researchers warned, potentially impacting thousands of open source packages.
"We have no evidence that any downstream open source library or containers has been impacted at this time. But we urge open source maintainers and the security community to join us in keeping a close eye out for potential secondary compromises," said Stiliadis.
"GitHub has removed the Action, and users must find alternative implementations. This means that CI pipelines using the compromised Action could crash unless you are using a cached version."
How to check for GitHub Action anomalies
StepSecurity advised users of any version of the tj-actions/changed-files Action to stop using it immediately until the incident is resolved.
It's released a free, secure, and drop-in replacement - step-security/changed-files - and recommended updating all instances of j-actions/changed-files in their workflows to this instead.
Users should also perform a code search across their repositories to discover all instances of the tj-actions/changed-files Action.
Reviews of GitHub Actions workflow run logs are also advised to uncover any recent executions of the Action. If any are discovered, they should be rotated immediately.
RELATED WHITEPAPER
"The focus now has to be on what’s next. How long will it take the thousands of open source GitHub repos affected to take the proper security measures and revoke/change secrets?" commented Stiliadis.
"What can happen in the meantime is the damage can range from nothing to catastrophic scenarios, depending on who the attacker was and why they did it."
MORE FROM ITPRO
- Everything you need to know about GitHub Models, the new AI testing ‘playground’ for developers
- Hackers are abusing GitHub's search function to spread malware
- Nearly a million devices were infected in a huge GitHub malvertising campaign
-
Security experts issue warning over the rise of 'gray bot' AI web scrapersNews While not malicious, the bots can overwhelm web applications in a way similar to bad actors
-
Does speech recognition have a future in business tech?Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
-
Nearly a million devices were infected in a huge GitHub malvertising campaignNews Microsoft has alerted users to a malvertising campaign leveraging GitHub to infect nearly 1 million devices around the world.
-
'GitVenom' campaign uses dodgy GitHub repositories to spread malwareNews Security researchers have issued an alert over a campaign using GitHub repositories to distribute malware, with users lured in by fake projects.
-
Malicious GitHub repositories target users with malwareNews Criminals are exploiting GitHub's reputation to install Lumma Stealer disguised as game hacks and cracked software
-
A leaked GitHub access token could have led to a catastrophic supply chain attackNews The GitHub access token with administrator level privileges could have been used to great effect by threat actors
-
Hackers have found yet another way to trick devs into downloading malware from GitHubNews Threat actors have developed a new way to covertly embed malicious files into legitimate repositories on both GitHub and GitLab using the comment section
-
Hackers are abusing GitHub's search function to spread malware
News Hackers are using the names of popular GitHub repositories to trick users into downloading malicious code, new research reveals.
-
Hackers take advantage of AI hallucinations to sneak malicious software packages onto enterprise repositoriesNews New research reveals a novel attack path where threat actors could leverage nonexistent open-source packages hallucinated by models to inject malware into enterprise repositories
-
Hackers are spoofing themselves as GitHub's Dependabot to steal user passwordsNews GitHub Dependabot was crudely spoofed in hundreds of successful attacks on open source projects
