The way build artifacts are stored by the GitHub Actions platform could enable attackers to inject malicious code into software projects with CI/CD (continuous integration and continuous delivery) workflows that don’t perform sufficient filtering when downloading artifacts. Cybersecurity researchers have identified several popular artifacts download scripts used by thousands of repositories that are vulnerable to this issue.
“We have discovered that when transferring artifacts between different workflows, there is a major risk for artifact poisoning — a technique in which attackers replace the content of a legitimate artifact with a modified malicious one and thereby initiate a supply chain attack,” researchers from supply chain security firm Legit Security said in an analysis of the issue.
To read this article in full, please click here
More Stories
Visualize Change with an Out-of-the-Box Configuration Report
CIS is releasing an out-of-the-box configuration report to help give you visibility in the software updates we’ve implemented from one...
Planet Ice hacked! 240,000 skating fans’ details stolen
Planet Ice, which operates 14 ice rinks up and down the UK, has revealed that criminal hackers managed to break...
GitHub Confirms Signing Certificates Stolen in Cyber-Attack, Revokes Them
Revoking these certificates will invalidate some versions of GitHub Desktop for Mac and Atom Read More
DocuSign Brand Impersonation Attack Bypasses Security Measures, Targets Over 10,000
Victims were redirected to a fake landing page to exfiltrate their Proofpoint credentials Read More
Financial Services Targeted in 28% of UK Cyber-Attacks Last Year
API attacks, bad bots and DDoS attacks were the industry's main security challenges Read More
IoT, connected devices biggest contributors to expanding application attack surface
The growth of the internet of things (IoT) and connected devices are the biggest contributing factors to organizations’ expanding attack...