- CISA issued a warning about ongoing supply chain attacks exploiting GitHub repos via a malicious Nx Console VSCode extension and the Megalodon campaign
- Threat actors stole CI/CD secrets, cloud credentials and tokens by poisoning workflows, prompting CISA to call for audit of contributor activity and workflow files
- Recommended remedies include forensic reviews, rotating/revoking all pipeline secrets, pinning trusted package versions, and delaying pulls to allow community detection
The US Cybersecurity and Infrastructure Security Agency (CISA) is warning of several ongoing supply chain attacks and is urging developers and open source platform users to apply restrictions and secure their environments.
In a news alert published earlier this week, the agency warned of attacks on GitHub repos via a malicious Nx Console Visual Studio Code (VSCode) extension, as well as the Megalodon supply chain campaign. It said these attacks show “how cyber threat actors are abusing tools and processes that support enterprise, cloud and DevOps environments – specifically CI/CD pipelines, code extensions and workflows.”
By exploiting a previous compromise of Nx developer systems, threat actors were able to compromise a GitHub employee’s device through a poisoned third-party VSCode extension, gain access to their repositories, and steal sensitive information found within.
CISA’s advice
In Megalodon, hackers injected malicious GitHub Action workflows to steal CI/CD secrets, cloud credentials and tokens, CISA said.
With that in mind, it urged organizations to monitor and audit workflow files and contributor activity and roll back any unauthorized changes.
Organizations that discover a breach from a previously compromised GitHub or Nx Console software should conduct a forensic review of CI/CD logs, cloud audit trails, and affected developer machines and rotate/revoke all secrets (which includes all credentials, tokens, and secrets available to CI/CD pipelines, including A API credentials, Google Cloud Platform, Web Services, Azure), SSH keys, Docker/npm/PyPI/Vault/Terraform/Kubernetes tokens, GitHub/GitLab/Bitbucket tokens and developer or pipeline secrets).
For package storage use, CISA recommends waiting at least three hours before pulling a new package to give the community enough time to detect any suspicious or malicious activity. It also recommends pinning software to specific trusted versions and only pulling packages from known and trusted sources.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
