"The attack used code from the Shai-Hulud worm, published by malware outfit TeamPCP, which can extract secrets from memory used by GitHub Actions. It began with a PR that triggered an automatic workflow via TanStack's use of the pull_request_target feature, causing the malicious code to be built and run by a GitHub Action, poisoning a cache used across the entire repository."
"The TanStack team said that its workflow used a pattern GitHub warns against: pull_request_target id intended for PRs that "do not require dangerous processing, say building or running the content of the PR." Since the attack, TanStack has removed all use of pull_request_target from its continuous integration (CI) pipeline, disabled caches used by pnpm (a Node.js package manager) and GitHub Actions, pinned actions to commit SHA (Secure Hash Algorithm) hashes rather than retargetable tags, and disabled use of text messages for 2-factor authentication."
"The TanStack repository also now uses a feature of pnpm 11 called minimumReleaseAge, which requires dependencies to have been published for a set period before they can be installed. The idea is that compromised packages are usually detected and removed before that period completes. A more drastic proposal is closing the ability for external contributors to open pull requests at all."
""We are absolutely not going closed source," the team said, but it could put in place a mechanism where contributions begin with an issue or discussion, and a PR can be submitted only by invitation. TanStack acknowledged that it would be a r"
A breach involved a worm that exploited a GitHub Actions misconfiguration to poison a shared cache across a repository. The attack started with an unsolicited pull request that triggered an automatic workflow because pull_request_target was used. Malicious code was built and run by a GitHub Action, and the workflow used a pattern GitHub warns against for pull_request_target. After the incident, security changes included removing pull_request_target from CI, disabling pnpm and GitHub Actions caches, and pinning actions to commit SHA hashes instead of tags. Two-factor authentication via text messages was disabled. pnpm 11 minimumReleaseAge was added to delay installation of newly published dependencies. A further proposal would restrict external pull requests by requiring contributions to begin with issues or discussions and allowing PRs only by invitation.
#github-actions #cicd-security #supply-chain-security #open-source-contribution-controls #pnpm-dependency-security
Read at theregister
Unable to calculate read time
Collection
[
|
...
]