GitHub Attack Vector Cracks Open Google, Microsoft, AWS Projects

Cloud services and thus millions of end users who access them could have been affected by the poisoning of artifacts in the development workflow of open source projects.

Researchers have uncovered an attack vector that affected
GitHub open source projects
owned by Google, Microsoft, Amazon Web Services, and others, executed by abusing artifacts generated as part of software-development workflows.
Researchers at Palo Alto Networks Unit 42 discovered the attack, which was effective against high-profile open source projects owned by the biggest companies in the world, according to
a blog post
published by lead researcher Yaron Avital yesterday. Compromise of those projects, then, could have led to a potential impact on millions of their consumers.
Other companies whose projects were affected by the attack vector, which abuses what are called GitHub Actions artifacts, include Canonical (Ubuntu), the OWASP Foundation, and Red Hat, among others. The vector causes the artifacts to leak tokens of both third-party cloud services as well as GitHub tokens, making them available for anyone with read access to the repository to consume, Avital wrote.
This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access, he explained. The most common leakage found in the activity was the leakage of GitHub tokens, allowing an attacker to act against the triggering
GitHub repository
, Avital added.
The exposure ultimately could have allowed attackers to push malicious code to production through the
continuous integration and continuous delivery/deployment (CI/CD) pipeline
, or to access secrets stored in the GitHub repository and organization, he explained.
Unit 42 worked with all of the companies and maintainers of the projects affected and received great support from all teams so that all of the discoveries were mitgated quickly and efficiently, Avital wrote. However, other unknown private and public projects could also be subject to the attack.
CI/CD environments, processes, and systems are a key part of
modern software development
in the flow of building, testing, and delivering code to production. That said, they offer a prime opportunity for attackers, since they use highly sensitive credentials to authenticate against various types of services, creating a significant challenge to keep a high level of credential hygiene, Avital wrote.
The attack discovered centers on GitHub Actions, which are workflow build artifacts that allow developers to persist and share data across jobs within the same workflow. These artifacts can be any files generated during your build process, such as compiled code, test reports, or deployment packages, Avital explained.
Artifacts ensure that critical data isnt lost after a workflow finishes, making it accessible for later analysis or deployment. This is particularly useful for sharing test results or deployment packages between dependent jobs, Avital noted.
GitHub Actions workflows frequently use secrets to interact with various
cloud services
and with GitHub itself. These secrets in turn include the ephemeral, automatically-created GitHub token used to perform actions against the repository.
The Actions build artifacts are outputs generated by the execution of workflows, and once created, theyre stored for up to 90 days, Avital explained. In open-source projects, these artifacts are publicly available for anyone to consume.
The attack flow he discovered allows attackers to download the publicly available artifact, extract the token, and push malicious code to the repository of an open source project. The code then becomes part of the project and thus could be executed as part of a software or service that end users ultimately access.
Unit 42s post included a list
GitHub
open source projects known to have been affected by the attack vector.
GitHub has become a major target for threat actors, because of its attractiveness as a way to access myriad software and services by poisoning just a few lines of code
in repositories
.
The new attack vector demonstrates that we have a gap in the current security conversation regarding artifact scanning
on GitHub,
Avital wrote, which means that organizations using the artifacts mechanism should reevaluate the way they use it.
He also recommended that defenders adopt a holistic approach to software development and scrutinize every stage of it (from code to production) for potential vulnerabilities. Overlooked elements like build artifacts often become prime targets for attackers, Avital wrote.
Organizations should also reduce workflow permissions of runner tokens according to least privilege, and review artifact creation in their CI/CD pipelines as part of a proactive and vigilant approach to security to strengthen the security posture of development projects, he noted.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
GitHub Attack Vector Cracks Open Google, Microsoft, AWS Projects