GitHub Action Hack Likely Led to Another in Cascading Supply Chain Attack

A recent GitHub Action hack has led to a cascading supply chain attack that began with the compromise of the "reviewdog/action-setup@v1" GitHub Action. The attackers first compromised the v1 tag for the reviewdog/action-setup GitHub action and injected similar code to dump CI/CD secrets to log files.

The cybersecurity firm Wiz researchers believe that the attack started with this compromise, which ultimately led to the breach of "tj-actions/changed-files" that leaked CI/CD secrets. The tj-actions developers were unable to pinpoint exactly how the attackers compromised a GitHub personal access token (PAT) used by a bot to perform malicious code changes.

"We believe that it is likely the compromise of reviewdog/action-setup is the root cause of the compromise of the tj-actions-bot PAT," explains Wiz in their report. "tj-actions/eslint-changed-files uses reviewdog/action-setup@v1, and the tj-actions/changed-files repository runs this tj-actions/eslint-changed-files Action with a Personal Access Token."

The attackers inserted a base64-encoded payload into install.sh, causing secrets from affected CI workflows to be exposed. As in the case of tj-actions, the exposed secrets would be visible on public repositories as part of the workflow logs.

Consequences and Recommendations

Apart from the reviewdog/action-setup@v1 tag that has been confirmed as breached, Wiz explains that other actions may also be impacted. The security breach at Reviewdog was remediated incidentally, but they informed the team and GitHub of their findings to prevent reoccurrence.

"Notably, if the action remained compromised, a repeat attack on tj-actions/changed-files with a successful outcome would be practically possible, potentially exposing the just rotated CI/CD secrets," Wiz warns. "We suggest that potentially impacted projects run this GitHub query to check for references to reviewdog/action-setup@v1 in repositories."

Developers are advised to take immediate action to mitigate the risks. This includes removing all references to affected actions across branches, deleting workflow logs, and rotating any potentially exposed secrets.

Prevention Measures

To prevent similar compromises in the future, Wiz suggests two key measures:

  1. Pinning GitHub Actions to commit hashes instead of version tags can help prevent compromised actions from being used by other repositories.
  2. Using GitHub's allow-listing feature to restrict unauthorized actions can also help prevent similar breaches in the future.

These supply chain attacks and leaked CI/CD secrets are bound to have a lasting effect on impacted projects, so quick action is required to mitigate the risks. Stay informed about the latest security developments and best practices for protecting your GitHub Actions repositories.

Additional Resources

In related news:

  • The Reviewdog team has published a security advisory acknowledging the compromise and providing instructions for potentially impacted users.
  • A recent report by Wiz reveals the top 10 MITRE ATT&CK techniques behind 93% of attacks, including supply chain attacks on popular libraries and frameworks.