In a significant security breach, open-source software utilized by over 23,000 organizations, including numerous large enterprises, has been compromised with code designed to steal user credentials. This incident marks another alarming example of an open-source supply chain attack that has disrupted the online community.

The affected package, tj-actions/changed-files, is part of the tj-actions suite, which facilitates workflow automation for developers. This suite operates within the framework of GitHub Actions, a tool designed to enhance development efficiency through automation. GitHub Actions plays a pivotal role in the implementation of CI/CD processes, which stands for Continuous Integration and Continuous Deployment (or Continuous Delivery).

Exploiting Server Memory Vulnerabilities

Reports indicate that sometime on Friday or earlier, unauthorized modifications were made to the source code of all versions of tj-actions/changed-files. These alterations affected the “tags” used by developers to identify specific versions of code. The compromised tags redirected to a publicly accessible file capable of accessing and copying the internal memory of servers that utilized the package, systematically searching for sensitive credentials and logging them for potential exploitation. Consequently, many public repositories that employed tj-actions inadvertently exposed critical credentials in accessible logs, raising serious security concerns.

“One of the alarming aspects of actions is their ability to modify the source code of the repositories utilizing them, along with accessing any secret variables linked to a workflow,” stated HD Moore, founder and CEO of runZero, who specializes in open-source security. He highlighted the extreme caution required in utilizing these actions, suggesting that the most rigorous approach would involve auditing all source code and directly referencing specific commit hashes rather than using tags, although he acknowledged that this method can be cumbersome.

Source
arstechnica.com

Credential Exposure in Supply Chain Attack Impacts 23,000 tj-actions Users

Exploiting Server Memory Vulnerabilities

A Canadian Mining Firm Seeks Trump’s Approval for Deep-Sea Mining Operations

Intel Announces New Laptop GPU Drivers Promising 10% to 25% Performance Boost

Lyft’s AI ‘Earnings Assistant’ Provides Tips for Drivers to Boost Their Income

NBA Playoffs: Giannis Addresses Confrontation with Tyrese Haliburton’s Father

Tucker Carlson and Megyn Kelly: Republicans Should Avoid Appearing on Gavin Newsom’s Podcast

Investors Turn to Emerging Market Bonds

Breaking news

NBA Playoffs: Giannis Addresses Confrontation with Tyrese Haliburton’s Father

Tucker Carlson and Megyn Kelly: Republicans Should Avoid Appearing on Gavin Newsom’s Podcast

Rats and Insects Emerge as New Challenge for War-Torn Gazans

Saskatchewan Students Experience Hands-On Automotive Training

Australia’s Recent Election Focused on Indigenous Issues

Ranbir Kapoor Exudes Intensity in Viral ‘Animal 2’ Poster Holding a Knife – Take a Look!

Prosecutors Refute Claims of Eavesdropping on Luigi Mangione’s Conversations with His Lawyer