Cloud services and thus millions of end users who access them could have been affected by the poisoning of artifacts in the development workflow of open source projects.
August 14, 2024 By Elizabeth Montalbano
Researchers have uncovered an attack vector that affected GitHub open source projects owned by Google, Microsoft, Amazon Web Services, and others, executed by abusing artifacts generated as part of software-development workflows.
Researchers at Palo Alto Networks' Unit 42 discovered the attack, which was effective against "high-profile open source projects owned by the biggest companies in the world," according to a blog post published by lead researcher Yaron Avital yesterday. Compromise of those projects, then, "could have led to a potential impact on millions of their consumers."
Other companies whose projects were affected by the attack vector, which abuses what are called GitHub Actions artifacts, include Canonical (Ubuntu), the OWASP Foundation, and Red Hat, among others. The vector causes the artifacts to leak tokens of both third-party cloud services as well as GitHub tokens, making them available for anyone with "read access" to the repository to consume, Avital wrote.
