A recent GitHub supply chain attack was traced back to a stolen Personal Access Token from SpotBugs, an open-source static code analysis tool. Palo Alto Networks' Unit 42 outlined that attackers exploited this token to access and compromise tj-actions/changed-files, a popular GitHub Action, thereby leaking sensitive information from over 23,000 repositories. Initial access began in November 2024 but was only discovered months later. The attack exemplifies growing concerns about security within open-source ecosystems and the critical need for safeguarding CI workflows.
The attackers obtained initial access by taking advantage of the GitHub Actions workflow of SpotBugs, a popular open-source tool for static analysis of bugs in code.
This enabled the attackers to move laterally between SpotBugs repositories, until obtaining access to reviewdog, the team wrote, adding that the attack started in November 2024, but only came to light months later.
Collection
[
|
...
]