top | item 43369639

(no title)

werrett | 11 months ago

You can pin GitHub Actions to specific versions or specific commits. But note you can change version tags arbitrarily. In this specific case, the bad actor changes all of the version tags to point to their malicious commit: https://github.com/tj-actions/changed-files/tags

So to avoid that you'd have to pin your GitHub Action to specific commits as outlined in this SO post: https://stackoverflow.com/a/78905195

discuss

zahlman|11 months ago

> In this specific case, the bad actor changes all of the version tags to point to their malicious commit: https://github.com/tj-actions/changed-files/tags

This required compromising the entire repository, yes? It can't be explained as the maintainer being tricked into merging something malicious?

werrett|11 months ago

Yes. It was probably a maintainer's creds being compromised.

The [malicious commit is masquerading as a commit from Renovate](https://github.com/tj-actions/changed-files/commit/0e58ed867...)((https://github.com/apps/renovate) but it's not a `verified` commit (and so it's trivial for a bad actor to masquerade as them).

https://stackoverflow.com/questions/67609381/why-do-all-my-g...

ImPostingOnHN|11 months ago

The repo looks like it uses itself in its workflows, so it's possible that the commit being merged resulted in the necessary credentials being leaked to the attacker.