Open-source software utilized by over 23,000 organizations, including several large enterprises, has fallen victim to a breach involving credential-stealing malware after attackers breached the account of a maintainer. This incident marks yet another significant open-source supply-chain attack that has disrupted the digital landscape.
The compromised package, known as tj-actions/changed-files, is part of tj-actions, a repository widely adopted across these organizations. Tj-actions functions as one of the numerous GitHub Actions, a toolset designed to enhance software processes on the open-source developer platform. GitHub Actions are integral to implementing Continuous Integration and Continuous Deployment (CI/CD), which are essential methodologies for modern software development.
On Friday or possibly earlier, unauthorized modifications were introduced to the source code for all versions of tj-actions/changed-files. These adjustments altered the “tags” that developers utilize to reference certain code versions, redirecting them to a publicly accessible file capable of scraping server memory. This file is designed to search for credentials and document them in a log, exposing sensitive information from numerous public repositories reliant on tj-actions.
HD Moore, an expert in open-source security and the CEO of runZero, highlighted the inherent risks posed by such actions. He stated that GitHub Actions can alter the source code of the repository they are associated with and access secret variables within the workflow. The most cautious developers often conduct thorough audits of the source code and specify exact commit hashes in their workflows, despite the added complexity this entails.
The implications of this attack are substantial for the business community. The exposure of sensitive credentials in publicly accessible logs can lead to unauthorized system access, data breaches, and the potential for adversaries to exploit vulnerabilities further. Organizations leveraging open-source solutions must exercise heightened vigilance to protect against similar threats.
This breach underscores the necessity for robust security measures in software development practices. Utilizing the MITRE ATT&CK framework can aid in identifying potential adversary tactics employed during such attacks, including initial access through compromised accounts, persistence through unauthorized code manipulation, and the subsequent escalation of privileges by gaining access to sensitive credentials.
As businesses increasingly rely on open-source tools, maintaining rigorous security protocols and continuous monitoring of supply-chain integrity is paramount to mitigating risks associated with these evolving cyber threats.
