- A popular tool for automated software updates was compromised via GitHub
- A piece of malicious code was added, exposing user secrets
- Dozens of organizations were harmed already, researchers said
Tens of thousands of organizations, from SMBs to large enterprises, were at risk of inadvertently exposing internal secrets after a supply-chain attack hit a GitHub account.
A threat actor compromised the GitHub account of the person(s) maintaining tj-actions/changed files, a tool that is part of a larger collection called tj-actions, which helps automate software updates, and is reportedly used by more than 23,000 organizations.
Once in the account, the hacker silently modified the software so that instead of working as intended, it also stole sensitive information from the computers running it. Many developers apparently trusted the tool without checking for changes, executing the malicious code and exposing sensitive credentials. The report claims AWS access keys, GitHub Personal Access Tokens (PATs), npm tokens, private RSA Keys and more, were added to a plaintext log and thus exposed.
Dozens of victims
The stolen credentials could allow attackers to access private systems, steal data, or compromise the services mentioned above, which means that the effects of this attack are yet to be seen in the weeks and months to come.
GitHub addressed the incident, saying that the company and its platform were not compromised in the attack, but it still helped remedy the problem.
“Out of an abundance of caution, we suspended user accounts and removed the content in accordance with GitHub’s Acceptable Use Policies,” GitHub was cited saying.
“We reinstated the account and restored the content after confirming that all malicious changes have been reverted and the source of compromise has been secured.”
Users should “always review GitHub Actions or any other package that they are using in their code before they update to new versions,” GitHub concluded.
Ars Technica noted security researchers from Wiz already found “dozens of users” who were harmed in this attack.
“Wiz Threat Research has so far identified dozens of repositories affected by the malicious GitHub action, including repos operated by large enterprise organizations. In these repositories, the malicious payload successfully executed and caused secrets to leak in workflow logs,” they concluded
If your system is using tj-actions, make sure to inspect it thoroughly for any signs of compromise.
