Source URL: https://www.theregister.com/2025/03/18/wiz_github_supply_chain/
Source: The Register
Title: Google acquisition target Wiz links fresh supply chain attack to 23K pwned GitHub repos
Feedly Summary: Ad giant’s cloudy arm to pay $30B in security shop deal
Wiz security researchers think they’ve found the root cause of the GitHub supply chain attack that unfolded over the weekend, and they say that a separate attack may have been to blame.…
AI Summary and Description: Yes
Summary: The text discusses a recent supply chain attack involving GitHub Actions, specifically the tj-actions/changed-files and reviewdog/action-setup repositories, which led to the leakage of CI/CD secrets for over 23,000 projects. The attack exploited a stolen personal access token (PAT), with researchers suggesting that the compromised reviewdog/action-setup was likely the entry point for the attack. This incident highlights the vulnerabilities in CI/CD systems and the importance of securing actions and managing access tokens.
Detailed Description:
– The report outlines a supply chain attack discovered by Wiz security researchers, which affected multiple GitHub Actions and exposed sensitive information, specifically CI/CD secrets.
– Key components of the compromised actions include:
– **tj-actions/changed-files**: A GitHub Action that monitors file changes in open-source projects and is utilized by over 23,000 users.
– **reviewdog/action-setup**: A different GitHub Action that was compromised earlier and is suspected to have been the source of the stolen personal access token (PAT) used in the tj-actions attack.
– Attack Sequence:
– A stolen PAT from the tj-actions/changed-files led to the exposure of sensitive information, including AWS access keys, due to malicious payload injection into the repository.
– This vulnerability in tj-actions stemmed from the earlier compromise of reviewdog/action-setup, linking two separate attacks in a malicious chain to reach a larger target.
– Researchers have indicated that the attacker’s method was stealthy, including how they reverted the repository to cover their tracks after injecting the malicious code.
– Security researcher Rami McCarthy emphasizes the need for users of reviewdog to check for leaked secrets and rotate them appropriately, particularly if they used versions that were not hash-pinned.
– Recommendations for GitHub users:
– Replace compromised actions with secure alternatives.
– Remove references to affected actions from all repository branches.
– Rotate any exposed secrets to mitigate potential damage.
This incident underscores the critical need for enhanced security practices around CI/CD pipelines and GitHub Actions, with a focus on access control management and continuous monitoring for unauthorized changes. Security and compliance professionals must advocate for stringent security measures and conduct regular audits to protect their software supply chains.