Security of GitHub Repositories Called Into Question as Multiple Supply Chain Attacks Uncovered

How safe are your GitHub repositories? If they are public, a set of recent compromises has called their security into question. The widely-used GitHub Actions tool, owned and maintained by Microsoft, has been the source of at least one major supply chain attack and has been compromised several times in recent history, according to researchers with StepSecurity.

The known breach took place on March 14 and exposed some 23,000 GitHub repositories, though it is unclear how many the attackers actually accessed. The researchers found additional prior compromises of GitHub Actions and disclosed them in a report on March 18, but there is not yet a known connection between these incidents.

Public GitHub repositories threatened by “actions” flaws

The issues with GitHub Actions appear to be a security risk only for public repositories at this point, according to the StepSecurity researchers. Microsoft addressed the malicious code for the most recent reported breach on March 15, but the researchers warn that some of the older compromises could be repeated in the future.

The most recent attack targeted GitHub’s CI/CD ecosystem, specifically the “tj-actions” bot that maintains the Actions repository. An access token for the bot was somehow obtained by the attackers, who are yet to be named, which was then used to slip in a malicious Python script that extracts CI/CD secrets from the Runner Worker process. That could have allowed attackers to pull a variety of sensitive information from GitHub repositories in a widespread supply chain attack: personal access and npm tokens, AWS keys, and RSA keys among them.

The catch is that the supply chain attack would only impact GitHub repositories that are already public, specifically targeting secrets that were sitting in build logs. The researchers also say that there is no evidence of the attackers exfiltrating this information to remote network destinations, raising questions about their ultimate purpose in pulling the caper.

Trend of supply chain attacks continues

The March 14 incident appears to have not been the first such compromise of GitHub Actions. The researchers followed up with a new report on March 18 indicating that they uncovered several previous compromises that could have created similar supply chain attacks, though the details of any actual damage are still shaping up. There is also not yet any word if the same attackers were involved or these incidents are connected.

Supply chain attacks on code repositories and open source projects have become increasingly popular as of late, and have drawn the attention of advanced hacking groups. North Korea’s state-sponsored Lazarus team was found to be behind recent compromises of the npm software repository that attempted to trick users into downloading tainted versions of commonly used packages, and the Python Package Index also recently suffered a similar attack. The incident with the GitHub repositories makes clear the appeal of pulling off such an attack, with tens of thousands (if not more) of downstream victims instantly available to the hacker.

Potential victims of the March 14 GitHub repositories attack can find recovery assistance and guidance from StepSecurity in the form of an “office hour” video that was first broadcast on March 17 and remains viewable on YouTube.