Article 6J13R Supply Chain Attack Via MS GitHub's Runner Images

Supply Chain Attack Via MS GitHub's Runner Images

by
janrinok
from SoylentNews on (#6J13R)

canopic jug writes:

Software engineer and security researcher, Adnan Khan, has found and published a supply chain attack carried out via Microsoft GitHub's runner images. The project used in the proof of concept is PyTorch.

From a period of time between February 2023 and July 25th, 2023, one such repository was GitHub's own actions/runner-images repository. You might be able to guess where this story this is going. This is the story of how I discovered and exploited a Critical misconfiguration vulnerability and reported it to GitHub. The vulnerability provided access to internal GitHub infrastructure as well as secrets. There was also a very high likelihood that this access could be used to insert malicious code into all of GitHub's runner base images - allowing an attacker to conduct a supply chain attack against every GitHub customer that used hosted runners.

More than a few sites are wrongly spinning this as a weakness with Python, PyTorch, or even with FOSS in general. However, the problem is not with FOSS, Python, or PyTorch but instead with a reliance on Microsoft's infrastructure for development. Fortunately there are mitigations. GitHub is software as a service, and not related to FOSS or Git itself though it does exploit both. It currently serves as a showcase for Microsoft Copilot.

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments