Wiz security researchers think they've found the root cause of the GitHub supply chain attack that unfolded over the weekend, and they say that a separate attack may have been to blame.
Software engineer Tonye Jack, author of tj-actions/changed-files – the compromised GitHub Action that was recently seen leaking the CI/CD secrets of more than 23,000 projects – already said a stolen personal access token (PAT) was used to carry out the attack. How that token was acquired wasn't understood, however.
But on Monday, Wiz said it followed up on a lead from researcher Adnan Khan, saying that reviewdog/action-setup, a different GitHub Action, was compromised on March 11 and could be the root cause of the stolen PAT at tj-actions.
To recap and summarize:
tj-actions/changed-files is a GitHub Action that detects file changes in open source projects
It recently became apparent to some of its 23,000-plus users that their secrets were leaking in public logs
Researchers found that the Action was compromised at some point before March 14. A payload was injected into the repo, causing CI/CD secrets such as AWS access keys to be spilled
Because tj-actions/changed-files was compromised, by extension so too was tj-actions/eslint-changed-files. This Action runs ESLint to check pull requests for problem code. Crucially, it also runs reviewdog/action-setup
tj-actions/changed-files runs tj-actions/eslint-changed-files, which in turn runs reviewdog/action-setup, using a PAT
Because reviewdog/action-setup was found to be compromised before tj-actions, researchers suspect this reviewdog attack was used to gain access to tj-actions, which has a much larger user base
Similar to the findings of the tj-actions/changed-files case, researchers found malicious code injected into reviewdog/action-setup that caused CI runner memory to leak secrets into logs.
These secrets likely contained the PAT for tj-actions/changed-files, allowing the attackers to compromise the much larger repo.
Rami McCarthy, principal security researcher at Wiz, said in a blog post that the team currently believes two attacks were chained deliberately in pursuit of compromising a specific high-value target.
He added that since only one version of the reviewdog Action was injected with malicious code during a two-hour window on March 11, and the fact that the repo reverted to an uncompromised commit shortly after, it's likely that the attacker reverted the commit themselves to hide the attack. It suggests they only used the reviewdog attack for a narrow purpose (stealing the tj-actions PAT) and tried to stay as stealthy as possible.
By comparison, the 255 users of reviewdog are hardly a scratch on tj-actions' 23,000-plus. So the attack surface of this initial supply chain attack is much smaller, despite leading to a much larger one.
Alas, McCarthy said those who use reviewdog should still check for any secrets that may have been exposed and rotate them accordingly. If you used a hash-pinned version of the Action or a tag other than v1, there is nothing to worry about.
Researchers are still working on understanding how the initial compromise at reviewdog played out.
McCarthy said: "We can tell the attacker gained sufficient access to update the v1 tag to the malicious code they had placed on a fork of the repository. The reviewdog GitHub Organization has a relatively large contributor base and appears to be actively adding contributors through automated invites. This increases the attack surface for a contributor's access to have been compromised or contributor access to have been gained maliciously."
His recommendations were similar to those made in response to the tj-actions compromise: Stop using the Action and replace it with a safe alternative. Remove all references to the Action across all repo branches. Rotate any leaked secrets. ®