Widening impression evaluation
The tj-actions builders had beforehand reported they might not decide precisely how attackers gained entry to their GitHub private entry token. This new discovering from Wiz supplies the lacking hyperlink, suggesting that the preliminary reviewdog compromise was the primary domino on this cascading assault chain.
Past the confirmed compromise of reviewdog/action-setup@v1, the investigation has revealed a number of different doubtlessly impacted actions from the identical developer. These embrace reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos. The total extent of the compromise throughout these instruments stays beneath investigation.
Whereas GitHub and reviewdog maintainers have carried out fixes, Wiz warns that if any compromised actions stay in use, a repeat assault focusing on “tj-actions/changed-files” may nonetheless happen — particularly if uncovered secrets and techniques should not rotated.
