GitHub Actions Prone to Typographical Errors, Exposing Developers to Concealed Malicious Code
Cybercriminals have frequently exploited typographical errors to deceive unsuspecting users into visiting harmful websites or downloading tainted software and packages.
These assaults typically entail registering domains or packages with names slightly different from their legitimate equivalents (e.g., goog1e.com vs. google.com).
Adversaries targeting open-source repositories on various platforms have depended on developers making typing mistakes to launch software supply chain attacks through PyPI, npm, Maven Central, NuGet, RubyGems, and Crate.
The most recent discoveries from cloud security company Orca reveal that even GitHub Actions, a continuous integration and continuous delivery (CI/CD) platform, are vulnerable to this threat.
“In case developers make a typographical mistake in their GitHub Action that corresponds to an imposter’s action, applications might be forced to execute malicious code without the developer’s knowledge,” mentioned security analyst Ofir Yakobi in a report shared with The Hacker News.
This attack is feasible because any individual can release a GitHub Action by establishing a GitHub account using a temporary email address. Given that actions operate within the confines of a user’s repository, a malevolent action could be utilized to manipulate the source code, pilfer secrets, and utilize it to dispatch malware.
The only thing required for this technique is for the attacker to set up organizations and repositories with names closely resembling popular or frequently-used GitHub Actions.
If a user commits unintentional spelling mistakes while configuring a GitHub action for their project and the incorrectly spelled version has already been created by the adversary, then the user’s workflow will implement the malevolent action instead of the intended one.
“Visualize an action that extracts confidential information or alters code to introduce subtle defects or backdoors, potentially impacting all forthcoming builds and deployments,” Yakobi expressed.
“In reality, a compromised action could even exploit your GitHub credentials to upload malicious alterations to other repositories within your organization, amplifying the consequences across numerous projects.”
Orca mentioned that an exploration on GitHub disclosed approximately 198 files that call upon “action/checkout” or “actons/checkout” instead of “actions/checkout” (note the absence of “s” and “i”), putting all those projects in peril.
This variant of typographical exploitation entices cybercriminals due to its cost-effective nature and its potency in causing impactful software supply chain breaches, affecting multiple downstream clients simultaneously.
It is recommended that users verify actions and their names to ensure they are linking to the correct GitHub organization, adhere to actions from trustworthy sources, and periodically examine their CI/CD workflows for typographical issues.
“This experiment underscores the ease with which attackers can exploit typographical errors in GitHub Actions and the importance of vigilance and optimal practices in thwarting such attacks,” Yakobi remarked.
“The actual concern is even more worrying because herein we are only exposing what transpires in public repositories. The impact on private repositories, where these same typographical errors could trigger serious security violations, remains undisclosed.”
About Author
