Major GitHub Supply Chain Attack Exposes CI/CD Secrets in Over 23,000 Projects

Cybersecurity researchers have discovered a supply chain attack targeting the tj-actions/changed-files GitHub Action, a widely used open-source tool relied upon by over 23,000 organizations. This breach raises serious security concerns, potentially exposing sensitive development workflows to malicious actors.

GitHub Actions is a feature that allows developers to automate their software development workflows directly in their repositories. It lets them create custom workflows using YAML syntax to define steps for building, testing, and deploying code. GitHub Actions provides integration with other services and tools, including cloud providers, testing frameworks, and deployment platforms.

Tj-actions is a suite of GitHub Actions designed to streamline CI/CD workflows by automating tasks like detecting file changes, running ESLint checks, and generating coverage badges. These actions improve the efficiency of the software development process, ensure code quality, and simplify deployment.

Malicious GitHub Action exposes CI/CD secrets

On Friday, StepSecurity researchers discovered a malicious commit in the GitHub Actions tool. It allowed attackers to alter its code and update multiple tags to point to the compromised version.

“The compromised Action prints CI/CD secrets in GitHub Actions build logs. If the workflow logs are publicly accessible (such as in public repositories), anyone could potentially read these logs and obtain exposed secrets. There is no evidence that the leaked secrets were exfiltrated to any remote network destination,” StepSecurity explained.

Consequently, the compromised GitHub Action runs a malicious Python script that leaks sensitive information from the continuous integration / continuous delivery (CI/CD) pipeline. This could include API keys, passwords, and other credentials used in the development and deployment process.

How to identify suspicious activity in GitHub Actions

StepSecurity researchers warn that cybercriminals could exploit this attack to compromise software supply chains, targeting open-source libraries, binaries, and artifacts built with the affected GitHub Action. This could put thousands of open-source packages at risk. However, there is currently no evidence that exposed sensitive information from public repositories was transferred to external servers.

Project maintainers should audit their repositories and rotate any secrets used during the attack period. They must also inspect their repositories for signs of compromise. Additionally, users are advised to review their GitHub Actions and use cryptographic hashes instead of tags to reference code for better security.