"Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines"

When an attacker submits changes to an open-source repository on GitHub, downstream software projects that include the most recent version of a component may compile updates containing malicious code. According to Legit Security, a software supply chain security firm, this "artifact poisoning" vulnerability could affect software projects that use GitHub Actions, a service for automating development pipelines, by triggering the build process when a change in a software dependency is detected. Legit Security simulated an attack on the project that manages Rust, causing the project to recompile using a customized and malicious version of the popular GCC software library. According to Liav Caspi, chief technology officer of Legit Security, the problem likely affects a large number of open-source projects because maintainers typically run tests on contributed code before analyzing it themselves. He describes it as a common pattern nowadays. Many open-source projects today run a slew of tests to validate a change request because the maintainer does not want to have to review the code first. Instead, it runs tests automatically. The attack makes use of the automated build process provided by GitHub Actions. The vulnerable pattern in the Rust programming language could have allowed an attacker to execute code in a privileged manner as part of the development pipeline, stealing repository secrets and potentially tampering with code. Any GitHub user can create a fork that generates an artifact, then inject it into the repository's build process and modify its output. Another type of software supply chain attack in which an attacker modifies the build output. This article continues to disucss artifact poisoning in GitHub Actions.

Dark Reading reports "Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines"