A new sophisticated attack chain targeting GitHub repositories has emerged, leveraging fake Continuous Integration (CI) updates to steal secrets and tokens from vulnerable GitHub Actions workflows. Here's a breakdown of the threat:
How the Attack Works
-
Abuse of
pull_request_targetTrigger:- The attacker exploits the
pull_request_targettrigger in GitHub Actions. - Unlike the standard
pull_requesttrigger, this one runs entirely within the context of the base repository, granting full access to repository secrets even when the PR originates from an untrusted external fork account.
- The attacker exploits the
-
Five-Phase Operation:
- First Phase: Extracts the
GITHUB_TOKENfrom git configuration, compresses it, and writes a base64-encoded output to workflow logs for later retrieval by the attacker. - Second Phase: Uses the stolen token to call GitHub's API to map out secret names, deployment environments, and workflow files. Simultaneously probes cloud metadata endpoints (AWS, Azure, Google Cloud) for credentials.
- Third Phase: A background daemon watches the Linux
/procfilesystem every two seconds for ten minutes, catching any secrets loaded by later job steps, and posts captured data directly to PR
- First Phase: Extracts the
Read the full article at Cyber Security News
Want to create content about this topic? Use Nemati AI tools to generate articles, social posts, and more.
2
Contents
Ali NematiWritten by Ali
![[AINews] The Unreasonable Effectiveness of Closing the Loop](/_next/image?url=https%3A%2F%2Fmedia.nemati.ai%2Fmedia%2Fblog%2Fimages%2Farticles%2F600e22851bc7453b.webp&w=3840&q=75)
