Whilst 218 repositories leaked secrets, impact may be limited.
Further analysis of breached data from GitHub Actions shows it may only have been GitHub install access tokens - which are relatively short-lived and less valuable for attackers - breached.
According to analysis by Endor Labs, even though the initial scale of the supply chain attack sounded scary, considering that tens of thousands of repositories depend on the GitHub Action, only 218 repositories leaked secrets. Those short-lived GITHUB_TOKENs expire once a workflow run is completed.
“In other words, in order to exploit a leaked GITHUB_TOKEN, attackers need to perform malicious activities during the workflow run,” said Henrik Plate, security researcher at Endor Labs. “This could be achieved by intentionally pausing the workflow execution as exemplified in this blog, however, this behaviour has not been observed in this particular case.”
He also said that the original incident report claimed that the GitHub Action ‘tj-actions/changed-files’ is used in tens of thousands of repositories; but it is important to understand that not all repositories using tj-actions/changed-files were affected, meaning not all of them leaked sensitive secrets in workflow logs that could be harvested by attackers.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
