Open-Source Software Compromised with Credential-Stealing Code
Background
Open-source software used by more than 23,000 organizations, some of which are large enterprises, was compromised with credential-stealing code after attackers gained unauthorized access to a maintainer account. This is the latest open-source supply-chain attack to affect the Internet.
The Affected Package
The corrupted package, tj-actions/changed-files, is part of tj-actions, a collection of files used by more than 23,000 organizations. Tj-actions is one of many Github Actions, a form of platform for streamlining software available on the open-source developer platform. Actions are a core means of implementing what is known as CI/CD, short for Continuous Integration and Continuous Deployment (or Continuous Delivery).
Scraping Server Memory at Scale
On Friday or earlier, the source code for all versions of tj-actions/changed-files received unauthorized updates that changed the "tags" developers use to reference specific code versions. The tags pointed to a publicly available file that copies the internal memory of servers running it, searches for credentials, and writes them to a log. As a result, many publicly accessible repositories running tj-actions ended up displaying their most sensitive credentials in logs that anyone could view.
The Impact
"The scary part of actions is that they can often modify the source code of the repository that is using them and access any secret variables associated with a workflow," said HD Moore, founder and CEO of runZero and an expert in open-source security, in an interview. "The most paranoid use of actions is to audit all of the source code, then pin the specific commit hash instead of the tag into the … the workflow, but this is a hassle."
Conclusion
The latest open-source supply-chain attack highlights the importance of secure coding practices and the need for developers to be vigilant in securing their software. It is crucial for organizations to regularly review and update their software dependencies to ensure that they are not vulnerable to such attacks.
FAQs
- What is tj-actions?
Tj-actions is a collection of files used by more than 23,000 organizations for streamlining software development. - What is the impact of the attack?
The attack compromised the security of many publicly accessible repositories, causing sensitive credentials to be displayed in logs that anyone could view. - What is the solution to prevent such attacks?
The most paranoid use of actions is to audit all of the source code, then pin the specific commit hash instead of the tag into the … the workflow, but this is a hassle. - What is the importance of secure coding practices?
Secure coding practices are crucial to prevent such attacks and ensure the security of open-source software.
