Massive attack on GitHub affects over 23,000 repositories

Today

A recent software supply chain attack has sent ripples through the development community, having potentially compromised over 23,000 repositories on GitHub. The attack targeted "tj-actions/changed-files," a widely utilised GitHub Action, injecting malicious code that has raised serious concerns over software security practices.

The incident, which took place on 12 March, saw cyber attackers infiltrate the GitHub Action to steal secrets, including API keys and authentication tokens. Such credentials are critical for accessing various software tools and platforms. The attack was noticed roughly 12 hours after its initial occurrence, leading to the repository becoming inaccessible to prevent further downloads of the compromised code. However, by this time, thousands of users were already affected.

Alex Ilgayev, Head of Security Research at Cycode, described the incident as a significant wake-up call for the software supply chain security community. He emphasised the growing trend of attackers exploiting trusted open-source components, underscoring the importance of proactive risk management. Ilgayev advised organisations to audit their workflows, rotate passwords, and adopt measures to prevent similar supply chain attacks.

Dr Katie Paxton-Fear, Principal Security Research Engineer at Harness, explained that the attack involved inserting a malicious function into the automation process of "tj-actions/changed-files." The attackers employed obfuscated code to execute a Python script that exfiltrated credentials. Remarkably, the attack exploited an outdated component alongside the malicious payload, which went unnoticed by maintainers but was integrated automatically due to a trusted bot. Dr Paxton-Fear highlighted the increasingly common strategy of using trusted automation tools to bypass the scrutiny.

Nick Mistry, SVP and Chief Information Security Officer at Lineaje, pointed out the attack's implications on the security of continuous integration and continuous deployment (CI/CD) pipelines, which are often overlooked. He stressed the necessity of adopting a comprehensive security approach that involves real-time monitoring of both code and build tools, urging organisations to develop a Software Bill of Materials (SBOM) for their build pipelines to safeguard their development processes.

Henrik Plate, a security researcher at Endor Labs, conducted an analysis to understand the impact of the attack. Despite the initial fears regarding the scale of the attack, Plate concluded that its actual damage was less extensive than anticipated. While 218 repositories were found to have leaked secrets, most involved short-lived GitHub tokens which are less valuable for attackers. Nevertheless, for those affected, the repercussions could be severe, warranting immediate action to rotate credentials and assess any potential malicious activity.

Plate's research underscored that not all repositories employing the "tj-actions/changed-files" were affected, but the incident put a spotlight on the vulnerabilities of open-source projects. This serves as a crucial reminder of the critical need for enhanced vigilance and support for open-source software maintenance and security to mitigate risks of this nature.

The event highlights a growing imperative for developers and organisations to review and bolster their security measures, ensuring they can quickly identify and respond to such threats before they escalate into more severe breaches. The security community continues to advocate for robust, proactive strategies to safeguard the integrity of software supply chains.

Share on: