Critical GitHub Attack

This is serious:

A sophisticated cascading supply chain attack has compromised multiple GitHub Actions, exposing critical CI/CD secrets across tens of thousands of repositories. The attack, which originally targeted the widely used “tj-actions/changed-files” utility, is now believed to have originated from an earlier breach of the “reviewdog/action-setup@v1” GitHub Action, according to a report.

[…]

CISA confirmed the vulnerability has been patched in version 46.0.1.

Given that the utility is used by more than 23,000 GitHub repositories, the scale of potential impact has raised significant alarm throughout the developer community.

Posted on March 20, 2025 at 11:14 AM5 Comments

Comments

Vesselin Bontchev March 20, 2025 12:19 PM

Given that the utility is used by more than 23,000 GitHub repositories, the scale of potential impact has raised significant alarm throughout the developer community.

Keyword being “potential”. The actual reality is, shall we say, a bit different:

The compromise of GitHub Action tj-actions/changed-files has impacted only a small percentage of the 23,000 projects using it, with it estimated that only 218 repositories exposed secrets due to the supply chain attack.

https://www.bleepingcomputer.com/news/security/github-action-supply-chain-attack-exposed-secrets-in-218-repos/

Who? March 20, 2025 12:25 PM

@ Clive Robinson

Years ago I sent an email to DISA about some obvious “errors” in some networking-related STIGs that made those technical implementation guides dangerous if followed as published. They replied, in a somewhat unpolited way, noting the obvious (that I am not affiliated with the U.S. army); these technical implementation guides about some well-known routing devices remain unfixed yet.

Same happened again some time later, this time about some CTR and CSIs published by NSA. No answer at all, something I appreciate when compared to DISA reply, but they continue recommending a setup that opens widely known attacks against shared caches in certain processor architectures. Not to say, these documents have been updated at least one time but continue suggesting the insecure settings.

To be honest, I do not trust on what CISA/DISA/NSA may publish.

The current U.S. administration may continue degrading the country cybersecurity and international alliances. If U.S. citizens accept it this way, who am I to disagree?

Clive Robinson March 20, 2025 12:38 PM

@ For those “new to the game”

CI/CD Secrets is liberaly spread across the articles, but none explain what they are in layman’s terms.

The first step is to understand what “Continuous Intergration”(CI) “Continuous Development/Deployment”(CD) Pipeline is. Gitlab has a reasonable description at,

https://about.gitlab.com/topics/ci-cd/cicd-pipeline/

However it says nothing about “secrets”

Put overly simply in our modern environments much is “done in the cloud” or in older parlance “across multiple servers” for which “Authorization”(AuthZ) and “Authentication”(AuthN) is required.

At the simplest that is a user has to have “an account” that once would have been a “user name” and was considered “public knowledge”, and “a password” or “passphrase” or other “secret” known only to the user and verifiable by the server.

However when you “automate” things it gets more complicated and it gets to the point where even the user does not know what is used for AuthZ and AuthN as they are “embedded in some way” into the automated pipeline.

It is these that form the basis for “CI/CD Secrets” and whilst they could be “dynamic” and “random” by “challenge and response” or “Zero Knowledge Proof” they generally are “static” and put as “plaintext in files”.

Thus if static “once leaked” anyone who has access to the leak can impersonate the valid user(s).

It’s actually a really bad security design for an automated system and should be replaced with something that is not vulnerable to being recorded and replayed, but still does not need user(s) to be actively involved.

Unfortunately by the way this attack works it can get around the “security advise” given online with articles like,

https://blog.gitguardian.com/handle-secrets-in-ci-cd-pipelines/

Clive Robinson March 20, 2025 12:58 PM

@ Who?, ALL,

With regards,

“To be honest, I do not trust on what CISA/DISA/NSA may publish.”

And so you should not. Likewise you should not trust the word of anyone including me 😉

It’s why I do not like the idea of “Best Practice” that every man and his dog took as an idea from the legal profession. Because there is no such thing as “best practice” and anything written in that regard almost certainly become “out of date” very shortly there after.

What people should do, and few have time to do so is learn what a system does and how and what it’s interactions, strengths, weaknesses and Non Obvious Flaws are. As well as,

“Think like an attacker and test, test, test…”

Many years ago I had a couple of decades of success bypassing AuthN command line systems with simple attacks “busting buffers” and finding “alternate channels” that were either not shutdown correctly or left open as part of the OS or worse still because people did not know how to handle errors and especially exceptions correctly…

One such of the latter was to exploit the “mouse input” of a well known Graphical User Interface. Put simply if you moved the mouse in random circles and spirals etc whilst also hitting either the keyboard or mouse buttons it caused errors that blew up the GUI and dropped you to a very privileged command line interface… Ops.

ResearcherZero March 24, 2025 8:32 PM

FCC checks if anyone got the memo.

‘https://www.theregister.com/2025/03/24/fcc_chinese_telco_huawei/

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.