Thousands of open source projects at risk from hack of GitHub Actions tool
Researchers at Wiz Threat Research also said that, as recommended by GitHub, developers should pin all GitHub Actions to specific commit hashes instead of version tags to mitigate against future supply chain attacks. They should also use GitHub’s allow-listing feature to block unauthorized GitHub Actions from running and configure GitHub to allow only trusted actions.
A ‘very serious incident’
In an interview Monday morning, StepSecurity CEO Varun Sharma called it a “very serious incident.” His firm, which makes an endpoint detection and response tool for CI/CD environments, discovered unusual outbound network connections from workflows using tj-actions/changed-files and alerted GitHub that a malicious version of the tool had been inserted to expose CI/CD credentials in build logs.
“Although the original has been restored,” he added, “its not clear why that got compromised.”
