They also “can be reused and shared with others on the GitHub Marketplace, which currently lists thousands of public Actions that developers can use instead of coding their own. Actions can also be included as dependencies inside other Actions, creating an ecosystem similar to other open-source component registries.”
Researchers from Orca Security recently investigated the impact typosquatting can have in the GitHub Actions ecosystem by registering 14 GitHub organizations with names that are misspellings of popular Actions owners — for example, circelci instead of circleci, actons instead of actions, google-github-actons instead of google-github-actions… One might think that developers making typos is not very common, but given the scale of GitHub — over 100 million developers with over 420 million repositories — even a statistically rare occurrence can mean thousands of potential victims. For example, the researchers found 194 workflow files calling the “action” organization instead of “actions”; moreover, 12 public repositories started referencing the researchers’ fake “actons” organization within two months of setting it up.
“Although the number may not seem that high, these are only the public repositories we can search for and there could be multiple more private ones, with numbers increasing over time,” the researchers wrote… Ultimately this is a low-cost high-impact attack. Having the ability to execute malicious actions against someone else’s code is very powerful and can result in software supply chain attacks, with organizations and users that then consume the backdoored code being impacted as well…
Out of the 14 typosquatted organizations that Orca set up for their proof-of-concept, GitHub only suspended one over a three-month period — circelci — and that’s likely because someone reported it. CircleCI is one of the most popular CI/CD platforms.
Thanks to Slashdot reader snydeq for sharing the article.
Read more of this story at Slashdot.