A supply chain attack on GitHub Actions tj-actions/changed-files led to the leakage of repository secrets, with an additional compromise involving reviewdog/actions-setup that likely contributed to the attack. The incident highlights the necessity for immediate responses to mitigate credential theft and further compromises. Affected: GitHub Actions, Repositories, Continuous Integration (CI) pipelines
Keypoints :
- A supply chain attack compromised tj-actions/changed-files, causing the secret leakage of numerous repositories.
- The attack is believed to be part of a chain involving reviewdog/actions-setup that enabled unauthorized access to a GitHub Personal Access Token (PAT).
- Malicious code was inserted into affected CI workflows, leading to exposure of sensitive data in workflow logs.
- Wiz Research identified timestamps that indicate when the reviewdog/action-setup was compromised.
- No external exfiltration of secrets was observed; they were only visible within the affected repositories.
- Maintainers recommend immediate actions such as rotating secrets, auditing workflows, and stopping the use of impacted actions.
MITRE Techniques :
- Supply Chain Compromise (T1195): Attackers exploited changes made to reviewdog/action-setup, allowing them to modify tj-actions/changed-files using compromised tokens.
- Credential Dumping (T1003): The exposed CI runner logs leaked secrets stored as environment variables or accessed by the malicious payload.
- Execution (T1203): The attacker injected malicious code directly into the install.sh file of the workflow.
- Modification of System Image (T1542): The v1 tag of the reviewdog/action-setup was updated to point to a fork containing malicious code.
Indicator of Compromise :
- [Hash] v1 (exact commit was not provided in the text, so only the tag is mentioned)
Full Story: https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup