Many top-level open source projects have been found leaking GitHub auth tokens, putting entire projects at risk of data theft and malicious code tampering.
Cybersecurity researchers from Unit 42 discovered the mishap and reported it to both GitHub and corresponding project owners – however GitHub said it wouldn’t be addressing the issue, and that the security of auth tokens lies solely with project owners.
Unit 42 said it found open source projects from the likes of Google, Microsoft, and AWS, leaking GitHub authentication tokens through GitHub Actions artifacts in CI/CD workflows. Should a malicious actor find these tokens, they could use them to access private repositories, steal source code, or even tamper with it, turning legitimate projects into malware.
Multiple payloads
That being said, Unit 42 says issues such as risky default settings, user misconfiguration, and insufficient security checks, are at the heart of the problem.
One issue resides in the ‘actions/checkout’ action which, by default, keeps the GitHub token in the local .git directory (hidden), since it’s required for authenticated operations. But if a developer uploads the complete checkout directory for any reason, they will inadvertently expose the GitHub token inside the .git folder.
More details about the different risk factors Unit 42 discovered can be found on this link.
In total, the researchers found 14 open source projects, belonging to major organizations, whose GitHub tokens are being exposed. They reported their findings to each one:
Firebase (Google)
OpenSearch Security (AWS)
Clair (Red Hat)
Active Directory System (Adsys) (Canonical)
JSON Schemas (Microsoft)
TypeScript Repos Automation, TypeScript Bot Test Triggerer, Azure Draft (Microsoft)
CycloneDX SBOM (OWASP)
Stockfish
Libevent
Guardian for Apache Kafka (Aiven-Open)
Git Annex (Datalad)
Penrose
Deckhouse
Concrete-ML (Zama AI)
Via BleepingComputer