- Suspent Exposed how a trusted GitHub -function can silently hand -check to attackers
- pull_request_target is not only risky, it is a loaded weapon in the wrong hands
- Even Top-Tier Security Projects Like Mitre’s can fall to Simple Github Workflow Misconfigurations
Experts have revealed several critical vulnerabilities in GitHub actions workflows that can pose serious risks to some major open source projects.
A recent study from Sysdig’s threat research team (TRT) has postponed how misunderstandings, especially involving the pull_request_target -trigger, could let attackers seize control of active stocks or extract sensitive credentials.
The team demonstrated this by compromising projects from well -known organizations such as Mitre and Splunk.
GitHub actions are widely adopted in modern software development for its automation capacities, but this convenience often hides security risks.
“Modern supply chain attacks often begin by abusing uncertain workflows,” the report states, noting how secrets like tokens or passwords embedded in workflows can be exploited if it is incorrectly secured.
Despite available best practices and documentation, many storage sites continue to use high -risk configurations, either from supervision or a lack of attention.
The essence of the problem is the pull_request_target -Trigger, who runs workflows in the context of the main branch.
This setup provides increased privileges, including access to GitHub_token and Repository Secrets, for code submitted from forks.
While it is intended to facilitate the test of pre-cousin, this mechanism also allows the performance of non-confined code, creating an attack surface that is easily overlooked.
The risk is not hypothetical, they are real.
In Spotipy Repository, which is integrated with Spotify’s web API, Ier discovered a setup where a designed setup.py could perform code and harvest secrets.
In the Miters CyberSecurity Analytics Repository (CAR), attackers were able to perform arbitrary code by changing dependencies.
Sealing confirmed that it was possible to take over the GitHub account that is linked to the project.
Even Splunks Security_content -Archive had secrets like Appinspectusname and AppinsPectPassword exposed despite the limited extent of github_token.
Developers should reassess the use of pull_request_target, considering safer alternatives – so recommend to separate workflows by first using unprivel them and only allowing sensitive tasks after validation.
Limiting the capacities of tokens and the adoption of real-time surveillance with tools such as Falco actions can also provide vital protection.
