🔹 Tens of thousands of public GitHub repositories are vulnerable to malicious code injection via self-hosted GitHub Actions runners, which could lead to high-impact supply chain attacks, security researchers warn. 🔹 This new class of CI/CD attacks can be launched if a repository has self-hosted runners attached. These are “build agents hosted by end users running the Actions runner agent on their own infrastructure,” Praetorian security researcher Adnan Khan explains. 🔹 A self-hosted runner attached to a repository can be used by any workflow running in that repository’s context, and this also applies to workflows from fork pull requests, which could run malicious code, thus representing a major security risk. 🔹 “By changing a workflow file within their fork, and then creating a pull request anyone with a GitHub account can run arbitrary code on a self-hosted runner,” Khan notes. #suplychain #supplychainattacks #github #vendor #vendors #vendorriskmanagement #vendorrisk #tprm #cybersecurity #governance #thirdpartyrisk #vrm #openvrm #buckler https://lnkd.in/gGwVgw92
Open VRM’s Post
More Relevant Posts
-
Helping demystify cyber threat intelligence for businesses and individuals | CTI | Threat Hunting | Custom Tooling
🔉 Mishandled GitHub token exposes Mercedes-Benz source code 🔉 The mishandling of GitHub tokens has led to the exposure of Mercedes-Benz source code, with researchers at RedHunt Labs discovering "unrestricted" and "unmonitored " access to an Internal GitHub Enterprise Server. The token providing this access was exposed via a public GitHub repository. 👉 This exposure provided access to a wealth of information, including intellectual property, access keys, connection strings, SSO passwords, API keys, and other critical internal details. It highlights the need for all organizations to secure their code repos and model this attack vector. #cybersecurity #news #github #mercedes #dataleak
Mercedes-Benz Source Code at Risk: GitHub Token Mishap Sparks Major Security Concerns - RedHunt Labs
http://redhuntlabs.com
-
I help businesses proactively enhance their security posture | Senior Associate, Cyber Security Consultant at KPMG Sweden
So, for anyone out of the loop – GitHub has now implemented push protection as a default feature, which scans code commits for secrets before accepting them. This helps to safeguard against unintentional exposure of private data, such as access tokens and passwords, within public repositories. GitHub boasts its ability to identify over 200 distinct secret patterns and token types. Even after the couple of high-impact breaches due to exposed credentials and secrets that have happened the last few years, GitHub reported that they detected a staggering amount of over 1 million leaked secrets in public repositories in the first 8 weeks of 2024 alone! What additional proactive measures do you think developers and organizations should adopt to prevent secrets from ever being exposed in the first place? Full article: https://lnkd.in/egczUYFX #github #security #devops #cybersecurity
GitHub enables push protection by default to stop secrets leak
bleepingcomputer.com
-
GitHub Vulnerability “ArtiPACKED” Trigger RCE Exploit to Hack Repositories: The research identifies a critical security vulnerability in GitHub Actions artifacts, enabling unauthorized access to tokens and secrets within CI/CD pipelines. Misconfigured workflows in major organizations’ public repositories exposed sensitive information, potentially compromising cloud environments and allowing attackers to inject malicious code into production systems. By exploiting leaked GitHub tokens, adversaries could manipulate repositories and […] The post GitHub Vulnerability “ArtiPACKED” Trigger RCE Exploit to Hack Repositories appeared first on Cyber Security News. #CyberSecurity #InfoSec
GitHub Vulnerability "ArtiPACKED" Trigger RCE Exploit to Hack Repositories
https://cybersecuritynews.com
-
A critical vulnerability in the GitHub Enterprise Server (GHES), a self-hosted version of GitHub, has been discovered. It lets attackers bypass authentication measures on vulnerable instances and gain unrestricted admin access. More here on the critical security flaw and its patch: https://lnkd.in/ebdFYQK2 #GitHub #IT #Code #Programming #Developers #Cybersecurity #SecurityExploit #SecureCode
GitHub Issues Patch for Critical Exploit in Enterprise Server
https://securityboulevard.com
-
It's not about security. It's about trust: CyberRisk Executive | VCISO | Fractional Leader | Public Speaker
Github has a scaling problem. Not the infrastructure itself, but the pace of uploaded malware is more than it can handle. The latest wave of malware started spreading in May of 2023. Threat actors download legitimate code from Github (also leveraging PyPi and NPM repositories) embed the malware and then upload to a new repository with the same name. The entire attack chain is automated so there have been over 100,000 malicious repositories identified. Github is removing the poisoned repos as fast as it can, but the volume and complexity of the attack is challenging their abilities. This is an insight into digital supply chain risks that continue to grow in scale and complexity. When your dev teams download libraries and code from public repos, what steps do they go through to ensure the downloaded code is what was expected -- and safe? As we increase automation in the CI/CD pipelines, authenticity and security checks need to occur earlier. There are rumors that Microsoft is going to push code signing again with the upcoming Windows 12. It is one approach that has been around for quite a while, but hasn't become standard yet. Maybe we need something else? How are you validating the code your teams are downloading, developing and sharing? https://lnkd.in/gi6vxZsZ #cybersecurity #devsecops #cicd #itsabouttrust
GitHub besieged by millions of malicious repositories in ongoing attack
arstechnica.com
-
I design secure cloud architectures with a defense-in-depth approach to mitigate risk, while teaching people at all levels how to be more secure online and in life.
I found a great explanation of unsafe reflection at https://lnkd.in/gMxWUW7n
🚨 GitHub fixes high-severity bug (CVE-2024-0200) that could've exposed your credentials in production containers. Your keys have been rotated — Import new ones for commit signing, Actions, Codespaces, or Dependabot. Details here: https://lnkd.in/dmtEatqq #cybersecurity #tech
GitHub Rotates Keys After High-Severity Vulnerability Exposes Credentials
thehackernews.com
-
GitHub Vulnerability 'ArtiPACKED' Exposes Repositories to Potential Takeover | Read more hacking news on The Hacker News cybersecurity news website and learn how to protect against cyberattacks and software vulnerabilities.
GitHub Vulnerability 'ArtiPACKED' Exposes Repositories to Potential Takeover
thehackernews.com
-
A vulnerability in an archived Apache project, highlighted the risk of using outdated third-party dependencies. There's more to learn with SimpleCyber, get all the knowledge and solutions to protect your digital security! #SimpleCyber #cybersecurity #Apache
Vulnerability in Apache Project Let Hackers Launch Supply Chain Attacks
https://cybersecuritynews.com
-
Researchers discovered a vulnerability in an archived #Apache project, highlighting the risk of using outdated third-party dependencies, where attackers can exploit the way package managers prioritize public repositories to install a malicious package with the same name as a legitimate private dependency. #cybersecurity #opensource #archive
Vulnerability in Apache Project Let Hackers Launch Supply Chain Attacks
https://cybersecuritynews.com
-
Researchers discovered a vulnerability in an archived Apache project, highlighting the risk of using outdated third-party dependencies, where attackers can exploit the way package managers prioritize public repositories to install a malicious package with the same name as a legitimate private dependency. https://lnkd.in/e-jbTGvs #cybersecurity #ciberseguridad
Vulnerability in Apache Project Let Hackers Launch Supply Chain Attacks
https://cybersecuritynews.com