The attack is being described as “sophisticated” but we can thank our (GitHub) stars that the exfil was a half-assed job that ultimately made only public repos vulnerable and made it obvious in logs whether a compromise occurred.
It’s almost like a grey-hat attacker trying to make the supply chain vulnerabilities more visible without doing major damage themselves. Almost.
I warned about this, but you didn’t have to be clairvoyant to see it coming: https://cedwards.xyz/github-actions-are-an-impending-securit...
GitHub are cutting corners and not working on making their CI/CD offering secure.
Previous discussions: https://news.ycombinator.com/item?id=43368870
> The attack methodology involved a particularly sophisticated approach. Attackers inserted a base64-encoded payload into an install script, causing secrets from affected CI workflows to be exposed in workflow logs.
What? How is that sophisticated? Who wrote this?
I still don't understand how we got to this point where CI/CD pipelines are built from random shit on the internet. I remember people being worried about packages in the system package manager curated by a (relatively) small set of trusted project maintainers. Now we're pulling in garbage written by who knows, under security guidance of nobody. At least the Arch Repo has a procedure and a trust network.
Every time I have to use GitHub actions and it recommends me using some "community" action I can't do it. I just know it's written by some 12-year old on spring break.
I hope GitHub will prioritise immutable actions and enforce it to all actions
More discussion at the time: https://news.ycombinator.com/item?id=43367987
Guess that "all aboard the LLM/Copilot train!" way of developing your core product really paid off!
This is already a month old. Suggest renaming to make this clear, or you've got people jumping on this as a brand new issue.