A recent cascading supply chain attack, initiated by the compromise of the "reviewdog/action-setup@v1" GitHub Action, has reportedly led to a breach involving "tj-actions/changed-files," resulting in the exposure of CI/CD secrets.

Details of the Supply Chain Attack

Last week, a security breach in the tj-actions/changed-files GitHub Action allowed malicious code to log CI/CD secrets for 23,000 repositories. If these logs had been public, attackers could have accessed these secrets. The developers of tj-actions are uncertain about how the attackers obtained a GitHub personal access token (PAT) used by a bot for malicious code alterations.

Investigative Findings

Researchers from Wiz suggest that the attack may have originated from a compromised GitHub action named 'reviewdog/action-setup.' The attackers reportedly tampered with the v1 tag of this action, embedding code to extract CI/CD secrets into log files.

  • Compromised Action: The reviewdog/action-setup was used by tj-actions/eslint-changed-files, enabling the theft of the tj-actions PAT.
  • Timing: The compromise of reviewdog coincided with the tj-actions PAT breach.

The attackers embedded a base64-encoded payload in install.sh, exposing secrets from affected CI workflows.

Potentially Affected Actions

In addition to the confirmed breach of reviewdog/action-setup@v1, other actions might also be compromised:

  • reviewdog/action-shellcheck
  • reviewdog/action-composite-template
  • reviewdog/action-staticcheck
  • reviewdog/action-ast-grep
  • reviewdog/action-typos

Wiz has informed Reviewdog and GitHub of these findings to prevent future incidents. Although the exact breach method is unclear, the large contributor base and automated member invitations at Reviewdog increase vulnerability risks.

Recommendations for Mitigation

Wiz advises projects potentially impacted to run a GitHub query to identify references to reviewdog/action-setup@v1 in repositories. The presence of double-encoded base64 payloads in workflow logs confirms a leak of secrets.

  • Immediate Actions: Remove references to affected actions, delete workflow logs, and rotate exposed secrets.
  • Preventive Measures: Pin GitHub Actions to commit hashes and utilize GitHub's allow-listing feature to restrict unauthorized actions.
The link has been copied!