Researchers have identified a new attack vector that targeted GitHub open source projects owned by tech giants like Google, Microsoft, and Amazon Web Services. This exploit was discovered by the researchers at Palo Alto Networks’ Unit 42 and was found to be effective against high-profile open source projects that could potentially impact millions of consumers.
In a blog post written by lead researcher Yaron Avital, it was revealed that the attack vector leveraged artifacts generated during software development workflows to compromise projects. Companies such as Canonical (Ubuntu), the OWASP Foundation, and Red Hat were also affected by this attack, which exploited GitHub Actions artifacts to leak tokens for third-party cloud services and GitHub tokens.
The compromised artifacts allowed malicious actors with read access to the repository to potentially compromise the services associated with the leaked tokens. The most common leakage found was GitHub tokens, enabling attackers to launch attacks against the GitHub repository itself. This exposure could have resulted in attackers pushing malicious code to production or accessing sensitive secrets stored in the GitHub repository and organization.
Unit 42 collaborated with the affected companies and project maintainers to mitigate the impact of the attack quickly and efficiently. However, it is important to note that other private and public projects could also be vulnerable to similar attacks.
The attack focused on GitHub Actions, which are workflow build artifacts that facilitate data sharing across different stages of the development process. These artifacts, stored for up to 90 days, can contain sensitive information such as GitHub tokens used to interact with various cloud services and the repository itself. By exploiting publicly available artifacts, attackers could download tokens, inject malicious code into open source projects, and potentially compromise end users’ software or services.
To prevent such attacks, Avital recommended adopting a holistic defense approach that includes scrutinizing every stage of the software development process for vulnerabilities. Organizations should reassess their use of artifacts, reduce workflow permissions, and review artifact creation in CI/CD pipelines to enhance the security posture of their projects.
This incident highlights the importance of maintaining secure development practices and staying vigilant against emerging threats in the software development landscape. By taking proactive measures to secure their workflows and artifacts, organizations can better protect their projects from malicious exploitation.