: Large organizations among those cleaning up the mess
It's not such a happy Monday for defenders wiping the sleep from their eyes only to deal with the latest supply chain attack. StepSecurity disclosed a compromise of the popular GitHub Action tj-actions/changed-files, which works to detect file changes in open source projects, noting that more than 23,000 GitHub repositories currently use the automation project's code.
The security shop said attackers compromised the project at some unknown point before March 14 and altered its code so the Action would leak secrets from a project's developer workflow into build logs. In cases where these logs are publicly available, such as public repositories, it means that any project using tj-actions/changed-files would be leaking secrets for all to see. The risk to private repos is thought to be much lower, but maintainers should still consider their projects compromised. The GitHub Action was tampered with to inject a Node.js function containing base64-encoded instructions to run a Python script that leaked a project's continuous integration / continuous delivery (Such secrets can include API keys, passwords, access tokens, and more, so it will come as some relief to admins that there is no evidence that any of the secrets leaked from public repos were exfiltrated to any outside server. Similar malicious code could be found in another project – Flank – Sysdig noted, and in this case, the data was sent to a GitHub Gist via a POST request. The motivation for the attack, like the identity of those behind it, is unknown but the tj-actions team confirmed that the compromise unfolded after a bot account was breached. "This attack appears to have been conducted from a PAT linked to @tj-actions-bot account to which 'GitHub is not able to determine how this PAT was compromised,'"are now used to secure the account, its permissions were downgraded to the minimum necessary, and commits must now be signed to ensure the integrity of contributions. "The personal access token affected was stored as a GitHub action secret which has since been revoked," he added."Going forward no PAT would be used for all projects in the tj-actions organization to prevent any risk of reoccurrence. "We'll continue to monitor and enhance security measures as needed to prevent any future incidents. If you have any additional recommendations, feel free to share them." Cybersecurity experts covering the attack have all advised that an immediate response is required from project maintainers to ensure their secrets aren't exposed. The researchers over at Wizthey've identified"dozens" of public repos with exposed secrets freely available for anyone to see, including those owned by large organizations.Project maintainers who think they might be affected are advised to audit their repos and rotate all secrets in any that use tj-actions/changed-files. These secrets should be considered compromised, and now that the attack is publicized, criminals will be scouring GitHub for useful data. Both Wiz and Sysdig recommended that developers find alternatives for tj-actions/changed-files and remove all references to the GitHub Action across all repo branches.should pin them to specific commit hashes instead of version tags if they want to avoid similar supply chain attacks in the future. "Pinning an action to a full-length commit SHA is currently the only way to use an action as an immutable release," its."Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork."UK must pay cyber pros more than its Prime Minister, top civil servant sayseBPF. It doesn't stand for anything. But it might mean bankDems ask federal agencies for reassurance DOGE isn't feeding data into AI willy-nilly
Australia Latest News, Australia Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
M6 delays expected as motorists warned of large loadsFour abnormal loads are making their way up the M6 to Cumbria
Read more »
Elon Musk Welcomes 13th Child: A Look at the Tesla Founder's Large FamilyThis article explores the life and family of Elon Musk, the founder of Tesla. It details his numerous children, his views on declining birth rates, and the recent announcement of a 13th child.
Read more »
Many Britons Face Hefty Tax Bills After Withdrawing Large Pension SumsA new analysis reveals that many Britons retiring are unknowingly incurring large tax bills after withdrawing substantial sums from their pension pots. The research highlights a lack of understanding among retirees regarding pension tax rules and urges individuals to seek professional advice before making significant withdrawals.
Read more »
Tram Passenger Stabbed in Manchester, Attacker Still at LargeA man in his 20s was stabbed on Pitsford Road in Monsall, north Manchester, before fleeing by tram to Victoria station where he was found by authorities. Police are investigating the attack and searching for the suspect.
Read more »
UK Man Jailed for Running Large-Scale Illegal Streaming OperationA Birmingham man has been sentenced to over two years in prison for operating a sophisticated illegal streaming service that provided access to Sky Sports and Sky Cinema content. Gary McNally's 'Each Online' operation attracted thousands of users and generated substantial revenue through unauthorized access. Prosecutors highlighted the severity of McNally's actions, emphasizing the role of content creators in the piracy ecosystem and the significant economic impact of copyright infringement.
Read more »
Free Tool Exposes AWS Credentials in Public GitHub RepositoriesA new automated tool allows anyone to scan public GitHub repositories for exposed AWS credentials. The creator, who discovered over 100 exposed keys with high privileges, emphasizes the tool's educational purpose and encourages better security practices. While the tool was designed for responsible discovery, its potential for misuse is acknowledged.
Read more »