Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Programming Security

GitHub Actions Typosquatting: a High-Impact Supply Chain Attack-in-Waiting? (csoonline.com) 4

GitHub Actions let developers "automate software builds and tests," writes CSO Online, "by setting up workflows that trigger when specific events are detected, such as when new code is committed to the repository."

They also "can be reused and shared with others on the GitHub Marketplace, which currently lists thousands of public Actions that developers can use instead of coding their own. Actions can also be included as dependencies inside other Actions, creating an ecosystem similar to other open-source component registries." Researchers from Orca Security recently investigated the impact typosquatting can have in the GitHub Actions ecosystem by registering 14 GitHub organizations with names that are misspellings of popular Actions owners — for example, circelci instead of circleci, actons instead of actions, google-github-actons instead of google-github-actions... One might think that developers making typos is not very common, but given the scale of GitHub — over 100 million developers with over 420 million repositories — even a statistically rare occurrence can mean thousands of potential victims. For example, the researchers found 194 workflow files calling the "action" organization instead of "actions"; moreover, 12 public repositories started referencing the researchers' fake "actons" organization within two months of setting it up.

"Although the number may not seem that high, these are only the public repositories we can search for and there could be multiple more private ones, with numbers increasing over time," the researchers wrote... Ultimately this is a low-cost high-impact attack. Having the ability to execute malicious actions against someone else's code is very powerful and can result in software supply chain attacks, with organizations and users that then consume the backdoored code being impacted as well...

Out of the 14 typosquatted organizations that Orca set up for their proof-of-concept, GitHub only suspended one over a three-month period — circelci — and that's likely because someone reported it. CircleCI is one of the most popular CI/CD platforms.

Thanks to Slashdot reader snydeq for sharing the article.
This discussion has been archived. No new comments can be posted.

GitHub Actions Typosquatting: a High-Impact Supply Chain Attack-in-Waiting?

Comments Filter:
  • could be to clone the public resources off github to a local respiratory. Then, if you have a typo, it just fails instead of using a public resource. This goes against the ethos of "all hail the cloud" of course. You could also sync your local respiratory to the Github one to keep it up to date.

    This is speculation on my part. If I'm wrong, by all means enlighten me on this.

  • In general software developers just add dependencies to other repos without thinking twice. No vetting of any kind. Often the dependencies aren't even pointing at a specific release but "latest". In other cases we use Renovate or similar to at least lock the dependencies in our specific revision of our code to specific a version of each dependency, but then the master branch is automatically updated with the newest version of all dependencies every night. One project hacked, and our CI server and probably m
  • Github Copilot carefully types in my action names for me

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...