Supply Chain Attack Via MS GitHub's Runner Images
canopic jug writes:
Software engineer and security researcher, Adnan Khan, has found and published a supply chain attack carried out via Microsoft GitHub's runner images. The project used in the proof of concept is PyTorch.
From a period of time between February 2023 and July 25th, 2023, one such repository was GitHub's own actions/runner-images repository. You might be able to guess where this story this is going. This is the story of how I discovered and exploited a Critical misconfiguration vulnerability and reported it to GitHub. The vulnerability provided access to internal GitHub infrastructure as well as secrets. There was also a very high likelihood that this access could be used to insert malicious code into all of GitHub's runner base images - allowing an attacker to conduct a supply chain attack against every GitHub customer that used hosted runners.
More than a few sites are wrongly spinning this as a weakness with Python, PyTorch, or even with FOSS in general. However, the problem is not with FOSS, Python, or PyTorch but instead with a reliance on Microsoft's infrastructure for development. Fortunately there are mitigations. GitHub is software as a service, and not related to FOSS or Git itself though it does exploit both. It currently serves as a showcase for Microsoft Copilot.
Read more of this story at SoylentNews.