"It allows developers to test code, review pull requests, and more, but also exposes them to attacks via repository-defined configuration files, Orca says. "Codespaces is essentially VS Code running in the cloud, backed by Ubuntu containers, with built-in GitHub authentication and repository integration. This means any VS Code feature that touches execution, secrets, or extensions can potentially be abused when attackers control the repository content," the cybersecurity firm notes."
"Furthermore, the attacker can target Linux systems by embedding variables for the integrated terminal in another JSON file, which would result in the payload's execution via bash. According to the cybersecurity firm, an attacker could also use the devcontainer.json file to embed arbitrary commands that would be executed after the container is initialized on a machine. These attack vectors, Orca says, could lead to the exfiltration of GitHub tokens, Codespaces secrets, and other secrets."
GitHub Codespaces automatically applies repository-defined VS Code configurations when a repository or pull request is opened, enabling those configurations to run without explicit user approval. Malicious actors can embed commands in .vscode JSON files, inject terminal variables that trigger bash execution on Linux, or place commands in devcontainer.json to run after container initialization. These mechanisms can result in remote code execution within the cloud-hosted environment and allow theft of GitHub tokens, Codespaces secrets, and other credentials. Integration with GitHub authentication and extensions increases the attack surface for repository-controlled payloads and lateral abuse.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]