BTC $58270.6324
ETH $3301.4664
BNB $400.6794
SOL $110.0515
XRP $0.5824
ADA $0.6271
AVAX $39.6830
DOGE $0.0970
TRX $0.1429
wstETH $3808.1443
DOT $8.3586
LINK $19.1334
WETH $3305.4834
MATIC $1.0428
UNI $11.0186
WBTC $57881.0446
IMX $3.3465
ICP $13.0316
BCH $301.2119
LTC $74.8427
CAKE $3.2026
ETC $28.3635
FIL $7.9610
LEO $4.4139
RNDR $7.4060
KAS $0.1700
HBAR $0.1136
DAI $1.0002
ATOM $11.3163
INJ $41.0291
VET $0.0502
TON $2.1419
OKB $51.8401
STX $3.2222
LDO $3.5190
FDUSD $0.9951
XMR $138.3902
XLM $0.1221
ARB $1.8935
NEAR $3.9358
TIA $16.9317
GRT $0.2829
WEMIX $2.2582
ENS $22.5313
MKR $2167.8555
APEX $2.4646
THETA $1.9298
BTC $58270.6324
ETH $3301.4664
BNB $400.6794
SOL $110.0515
XRP $0.5824
ADA $0.6271
AVAX $39.6830
DOGE $0.0970
TRX $0.1429
wstETH $3808.1443
DOT $8.3586
LINK $19.1334
WETH $3305.4834
MATIC $1.0428
UNI $11.0186
WBTC $57881.0446
IMX $3.3465
ICP $13.0316
BCH $301.2119
LTC $74.8427
CAKE $3.2026
ETC $28.3635
FIL $7.9610
LEO $4.4139
RNDR $7.4060
KAS $0.1700
HBAR $0.1136
DAI $1.0002
ATOM $11.3163
INJ $41.0291
VET $0.0502
TON $2.1419
OKB $51.8401
STX $3.2222
LDO $3.5190
FDUSD $0.9951
XMR $138.3902
XLM $0.1221
ARB $1.8935
NEAR $3.9358
TIA $16.9317
GRT $0.2829
WEMIX $2.2582
ENS $22.5313
MKR $2167.8555
APEX $2.4646
THETA $1.9298
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • A new vulnerability in GitHub could affect the software supply chain


    Researchers at security company Legit Security have discovered that an attacker is pushing changes to an open source repository on GitHub. This can cause software projects that include the latest version of a component to compile updates with malicious code.

    This artifact poisoning vulnerability could affect software projects using GitHub Actions (a service for automating development pipelines) by triggering the build process at the moment a change is detected in a software dependency, experts say.

    Legit Security simulated an attack on the project that Rust is based on, resulting in the project being recompiled using a malicious version of the popular GCC software library.

    The attack uses an automated build process via GitHub Actions. A vulnerable pattern could allow an attacker to execute code in a privileged manner within the development pipeline, stealing repository secrets and spoofing code.

    In other words, in a vulnerable workflow, any GitHub user can create a fork that will create an artifact. Then you need to inject this artifact into the original repository build process and modify its output.

    Once exploited, an attacker can modify repository branches, pull requests, exploit bugs, releases, and all objects available for workflow token permissions. Since Rust did not restrict the workflow token to certain areas, the following permissions are available to a hacker:

    Depending on the specific configuration of Rust, a cybercriminal can use these permissions to extend the attack beyond the vulnerable repository to additional Rust assets and lateral movement within the organization.

    Legit Security CTO Liav Caspi said the problem affects a large number of open source projects because maintainers typically test the provided code first and analyze it after the tests.

    GitHub has confirmed the issue and paid a reward for the information, and Rust has already patched the vulnerability.

    Author DeepWeb
    Akamai researchers accidentally disabled KmsdBot botnet
    Shadow archivists are concerned about the active hunt for online libraries

    Comments 0

    Add comment