- A popular tool for automated software updates was compromised via GitHub
- A piece of malicious code was added, which exposed user secrets
- Dozens of organizations were already injured, researchers said
Tens of thousands of organizations, from SMBS to large companies, were at risk of accidentally postponing internal secrets after a supply chain attack hit a GitHub account.
A threat actor compromised the GitHub report on the (s) that maintained TJ-Actions/Changed Files, a tool that is part of a larger collection called TJ-Actions that helps automate software updates and is reportedly used by more than 23,000 organizations.
Once on the account, the hacker changed the software silently, so instead of working as intended, it also stole sensitive information from computers running it. Many developers apparently trusted the tool without checking for changes, performing the malicious code and postponing sensitive credentials. The report claims AWS Access Keys, GitHub Personal Access Tokens (PATS), NPM -Tokens, Private RSA keys and more, were added to a plaintext log and thus exposed.
Dozens of victims
The stolen credentials could allow attackers to access private systems, steal data or compromise the above mentioned services, which means that the effects of this attack are not yet seen in the coming weeks and months.
GitHub approached the incident and said the company and its platform were not compromised in the attack, but it still helped solve the problem.
“Out of an abundance of caution we suspended user accounts and removed the content in accordance with GitHub’s acceptable use policies,” GitHub was quoted and said.
“We reintroduced the account and restored the content after confirming that all malicious changes have been returned and the source of compromise is secured.”
Users must “always review GitHub actions or any other package they use in their code before updating to new versions,” concluded GitHub.
Listed Wiz security researchers already found “dozens of users” that were injured in this attack.
“Wiz threat research has so far identified dozens of warehouses affected by the malicious Github action, including repos operated by large corporate organizations. In these storage locations, the malicious payload that was successfully performed and made secrets to leak in workflow logs, ”they concluded
If your system uses TJ actions, be sure to inspect it thoroughly for signs of compromise.
