- A popular tool for automated software updates has been compromised via Github
- A piece of malicious code has been added, exposing user secrets
- Dozens of organizations have already been injured, the researchers said
Tens of thousands of organizations, from SMEs to large companies, risked inadvertently exposing internal secrets after an attack on the supply chain struck a Github account.
A threat player compromised the GitHub account of the person (s) by keeping actions TJ / modified files, a tool that is part of a larger collection called TJ-action, which helps automate software updates and would have been used by more than 23,000 organizations.
Once in the account, the hacker silently changed the software so that instead of working as expected, he also stolen information sensitive to the computers that execute them. Many developers have apparently trusted the tool without checking the changes, executing the malicious code and exposing sensitive identification information. The report claims that the AWS access keys, the GitHub Personal Access tokens (PATS), the NPM tokens, the private and more RSA keys were added to a clear and therefore exposed newspaper.
Dozens of victims
The stolen identification information could allow attackers to access private systems, steal data or compromise the services mentioned above, which means that the effects of this attack must still be seen in the coming weeks and months.
Github addressed the incident, saying that the company and its platform were not compromised in the attack, but that has always helped to remedy the problem.
“By abundance of prudence, we suspended user accounts and deleted content in accordance with the acceptable use policies of Github,” said Github.
“We restored the account and restored the content after confirming that all the malicious changes have been donated and that the compromise source has been secured.”
Users must “always consult the GitHub actions or any other package they use in their code before updating the new versions,” concluded Github.
Ars Technica Safety researchers rated from WIZ have already found “dozens of users” who were injured in this attack.
“Research on WIZ threats has so far identified dozens of benchmarks affected by the action of malicious Github, including references exploited by large corporate organizations. In these benchmarks, the malicious payload has successfully executed and caused the flight of secrets in workflow newspapers, ”they concluded
If your system uses TJ actions, be sure to inspect it carefully for any sign of compromise.
