Cascading GitHub Supply Chain Attack Exposes CI/CD Secrets

By /

Listen to this Post

A New Threat to Open-Source Security

A sophisticated supply chain attack has rippled through the GitHub ecosystem, compromising thousands of repositories and exposing critical CI/CD secrets. This attack, which originated from the “reviewdog/action-setup@v1” GitHub Action, has led to the breach of “tj-actions/changed-files,” potentially leaking sensitive credentials.

Last week, malicious actors injected harmful code into the tj-actions/changed-files GitHub Action, allowing them to extract CI/CD secrets from workflow logs across more than 23,000 repositories. If these logs were publicly accessible, attackers could have easily stolen sensitive information.

Initially, developers behind tj-actions were unable to determine how their GitHub personal access token (PAT) had been compromised. However, security researchers at Wiz have now traced the attack back to a cascading supply chain breach, starting with the compromise of reviewdog/action-setup.

How the Attack Unfolded

  • The attackers infiltrated the “reviewdog/action-setup@v1” GitHub Action and injected malicious code designed to exfiltrate secrets from CI/CD workflows.
  • This compromised action was then unknowingly used in the tj-actions/eslint-changed-files repository, allowing attackers to extract its PAT.

– With access to

  • The attack method involved inserting a base64-encoded payload into an install script (install.sh), which collected sensitive data from affected repositories.

Potentially Affected GitHub Actions

In addition to reviewdog/action-setup@v1, several other GitHub Actions within the Reviewdog ecosystem may have been impacted, including:

– reviewdog/action-shellcheck

– reviewdog/action-composite-template

– reviewdog/action-staticcheck

– reviewdog/action-ast-grep

– reviewdog/action-typos

The breach at Reviewdog was coincidentally mitigated, but Wiz researchers have notified both Reviewdog and GitHub to prevent further exploitation.

Root Cause and Ongoing Risks

Although the exact method of compromise remains unclear, one contributing factor is Reviewdog’s large contributor base and its policy of accepting new members through automated invites. This lax security approach increases the risk of malicious actors gaining access to its repositories.

If left unresolved, this vulnerability could lead to repeated breaches, even after affected repositories rotate their secrets.

Recommended Security Measures

To mitigate the risk of similar attacks, security experts recommend the following:

  1. Audit repositories for references to reviewdog/action-setup@v1 using GitHub queries.
  2. Check workflow logs for double-encoded base64 payloads, which could indicate leaked secrets.
  3. Immediately remove references to compromised actions across all branches.

4. Delete workflow logs containing exposed secrets.

  1. Rotate all potentially compromised credentials to prevent unauthorized access.
  2. Pin GitHub Actions to commit hashes instead of version tags to prevent unverified updates.
  3. Use GitHub’s allow-listing feature to restrict the execution of untrusted actions.

The attack underscores the growing risks of supply chain vulnerabilities in open-source software. With over 23,000 repositories affected, developers must take urgent action to protect their CI/CD secrets.

What Undercode Say: The Bigger Picture of Supply Chain Attacks

  1. The Rise of Cascading Attacks in Open-Source Software
    This incident highlights a growing trend where a single compromised component leads to widespread security breaches. Attackers are increasingly targeting upstream dependencies, knowing that even a minor breach can cascade through the ecosystem.

2. CI/CD Pipelines Are Prime Targets

As automation tools become central to software development, attackers recognize CI/CD pipelines as valuable targets. These pipelines store critical secrets, such as API keys, cloud credentials, and access tokens. When compromised, they provide hackers with deep access into software deployment processes.

3. Why GitHub Actions Are Vulnerable

GitHub Actions streamline automation, but their flexibility comes with risks. Developers often reference external actions without fully verifying their security. Since these actions can run arbitrary code, a single compromise can lead to mass exploitation.

4. Base64 Encoding as an Evasion Technique

The use of base64 encoding to hide malicious payloads is a common tactic. It allows attackers to bypass simple security checks while maintaining an unobtrusive presence in workflow scripts. This technique often delays detection until it’s too late.

5. Automated Contributor Invites: A Security Loophole

Reviewdog’s approach of automatically inviting contributors creates an open door for attackers. Security teams must enforce stricter controls over contributor access, ensuring that only trusted developers can modify critical components.

6. Impact on Open-Source Trust

The open-source community relies heavily on trust. When major projects are compromised, it erodes confidence in shared codebases. This attack will likely push maintainers to adopt stricter security policies and encourage more rigorous dependency audits.

7. The Long-Term Consequences for Developers

  • Developers using affected actions must now scramble to secure their repositories.
  • Future supply chain attacks could be even more devastating if preventive measures aren’t adopted.
  • Companies relying on GitHub workflows need to re-evaluate how they handle third-party actions.

8. What Needs to Change?

To prevent similar incidents, the open-source ecosystem must:

– Adopt stricter authentication for contributors.

– Require signed commits for critical changes.

– Enforce regular audits for high-risk GitHub Actions.

  • Encourage the use of Software Bill of Materials (SBOM) to track dependencies.

The attack on Reviewdog and tj-actions serves as a wake-up call for developers. As supply chain threats evolve, so must our security practices.

Fact Checker Results

  • Confirmed Breach: Reviewdog/action-setup@v1 was indeed compromised, impacting multiple repositories.
  • Potential Widespread Impact: More than 23,000 repositories may have been affected, with secrets at risk of exposure.
  • Mitigation Measures Available: Developers can prevent future breaches by auditing dependencies, rotating credentials, and pinning actions to specific commits.

This attack serves as a stark reminder of the vulnerabilities inherent in open-source software and the need for proactive security measures.

References:

Reported By: https://www.bleepingcomputer.com/news/security/github-action-hack-likely-led-to-another-in-cascading-supply-chain-attack/
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: