A critical warning has been issued to app development teams using a popular utility in the GitHub Actions continuous integration and continuous delivery/deployment (CI/CD) platform, as researchers discovered that the tool was compromised to steal credentials. The compromised tool, tj-actions/changed-files, was modified by a threat actor on March 14, allowing remote attackers to discover secrets such as API keys, access tokens, and passwords by reading actions logs.

The researchers at StepSecurity found that all versions of the utility up to 45.0.7 were affected, and GitHub has since pulled access to the tool and replaced it with a patched version. According to a report from Endor Labs, the utility is used in over 23,000 GitHub repositories, potentially impacting thousands of CI pipelines.

The compromised action could have far-reaching consequences, as it could have been used to compromise the software supply chain for other open source libraries, binaries, and artifacts created with this tool. Endor Labs warns that any public repository that creates packages or containers as part of a CI pipeline could have been impacted, and that development teams with both private and public repositories need to take immediate action to mitigate the risk.

In an interview, the CTO of Endor Labs, Dimitri Stiliadis, emphasized the potential damage to applications that used the tj-actions tool, stating that hackers could have used stolen credentials in Docker Hub or other open source repositories to access and insert malware in other software packages. "We could have packages infected with malware that nobody's going to know about," he said.

Researchers at Wiz Threat Research have identified "dozens" of impacted public repositories with exposed sensitive secrets and are reaching out to affected parties. To help determine whether their repositories were affected, infosec leaders should audit GitHub logs for suspicious IP addresses. If any are found, the active secrets in their repositories need to be rotated.

GitHub recommends that developers pin all GitHub Actions to specific commit hashes instead of version tags to mitigate against future supply chain attacks. They should also use GitHub's allow-listing feature to block unauthorized GitHub Actions from running and configure GitHub to allow only trusted actions.

StepSecurity CEO Varun Sharma called the incident "very serious" and urged infosec or development leaders to review where tj-actions/changed-files was used in workflows, determine if the compromised version was used in CI/CD pipelines, and immediately rotate exposed credentials including API keys, access tokens, and passwords. He also recommended switching to a secure alternative for this tool or upgrading to a patched version.

The incident highlights the growing trend of threat actors compromising software during development to gain access to a wide range of IT environments. This is not the first time GitHub and other open source code repositories have been abused by hackers, and CISOs must ensure their app developers follow security best practices when using open source platforms for honing code.

In conclusion, the compromise of the tj-actions/changed-files utility is a critical warning to the development community, and immediate action is required to mitigate the risk of credential theft and potential supply chain attacks. Infosec leaders must take proactive steps to protect their repositories and ensure the security of their software development pipelines.