- A popular tool for automated software updates fostered through Github
- A piece of malicious code was added, exposing the user’s secrets
- Dozens of organizations were already harmed, the researchers said
Tens of thousands of organizations, from SMB to large companies, ran the risk of inadvertently exposing internal secrets after a supply chain attack reached a Github account.
A threat actor compromised the github account of the person (s) that maintains the TJ-Actions/Cambied files, a tool that is part of a larger collection called TJ-Actions, which helps automate software updates and, according to reports, is used by more than 23,000 organizations.
Once in the account, the hacker silently modified the software so that, instead of working as planned, he also stole confidential information of the computers that executed it. Apparently, many developers trusted the tool without verifying the changes, executing the malicious code and exposing confidential credentials. The report states that AWS’s access keys, Github Personal Access tokens (PAT), NPM tokens, private RSA keys and more, added to a text record without format and, therefore, were presented.
Dozens of victims
Stolen credentials could allow attackers to access private systems, steal data or compromise the services mentioned above, which means that the effects of this attack have not yet been seen in the coming weeks and months.
Github approached the incident, saying that the company and its platform were not committed to the attack, but still helped remedy the problem.
“As a precaution, we suspend user accounts and eliminate the content according to acceptable github policies,” Github said.
“We restored the account and restore the content after confirming that all malicious changes have been reversed and the source of commitment has ensured.”
Users must “always review GITHUB actions or any other package they are using in their code before updating new versions,” Github concluded.
Ars Technica The outstanding Wiz security researchers have already found “dozens of users” who were harmed in this attack.
“Wiz’s threat research has so far identified dozens of repositories affected by Github’s malicious action, including the rests operated by large business organizations. In these repositories, the malicious payload executed successfully and caused the secrets to be filtered in the workflow records, ”they concluded
If your system is using TJ-Actions, be sure to inspect it thoroughly to obtain any compromise sign.
