Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <10ea58b5-3b2b-44b7-a5bb-5f06c356e9fe@gmail.com>
Date: Tue, 18 Mar 2025 20:32:19 -0500
From: Jacob Bachmeyer <jcb62281@...il.com>
To: oss-security@...ts.openwall.com, Mark Esler <mark.esler@...inguard.dev>
Subject: Re: tj-action/changed-files GitHub action was
 compromised

On 3/15/25 14:03, Mark Esler wrote:
> On March 14 2025 at 16:57:45 UTC the tj-action/changed-files GitHub action was
> compromised with commit 0e58ed8 ("chore(deps): lock file maintenance (#2460)").
> This commit was added to all 361 tagged versions of the GitHub action. This
> malicious commit results in a script that can leak CI/CD secrets from runner
> memory.
>
> [...]

How the attacker got the commit into the tj-action/changed-files 
namespace seems obvious (GitHub uses a common storage pool for a 
repository and its forks; an attacker need only fork a repository and 
push the malicious commit to his own fork), but has there been any 
progress on determining how the tags were repointed?

I hope the explanation is stolen credentials, but possibilities include 
exploits on maintenance bots or even GitHub itself.


-- Jacob

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.