Github supply chain attack

dietmarkuehl · March 26, 2025, 8:00pm

When reading random news I came across this note about a github supply chain attack. The short version is that some tj-actions used for CI were modified to leak some private keys into the build logs (in obfuscated form) where they could be obtained by anybody knowing how to undo the obfuscation.

There are a two recommendations as a follow-up:

Change any actions to not use a version but rather use a SHA as that prevents using tempered actions (assuming, of course, the version the SHA is taken from isn’t tempered with).
Rotate all possibly affected keys. I don’t know how to do that and/or how should do that.

It seems people were unaware of this attack. In my mind that leads to another action we should consider for Beman repos: set up something identifying all dependencies (SBOM; Software Bill of Materials) and automatically check these against published vulnerabilities, e.g., with a daily CI run. I haven’t checked if any of the Beman repositories was/is actually affected.

dsankel · March 28, 2025, 4:11pm

Thanks for pointing this out Dietmar! Is this something you’d be willing to drive forward?

ben.boeckel · April 2, 2025, 9:18am

Note that tj-actions was itself a victim of a supply chain attack from reviewdog/action-setup@v1. See GitHub suffers a cascading supply chain attack compromising CI/CD secrets | InfoWorld

Topic		Replies	Views
Using shell scripts in .github/workflow Beman Project Development	10	63	March 27, 2025
Becoming a member of the beman-project github Beman Project Development	1	248	July 28, 2024
[WARNING] The GitHub org may be renamed soon Beman Project Development	8	70	November 20, 2024
GitHub free plan won't allow enforcing rules on private repos Beman Project Development	7	67	January 31, 2025
Bemanproject/beman issues Beman Project Development	8	53	March 14, 2025

Github supply chain attack

Related topics