Software projects face supply chain security risk due to insecure artifact downloads via GitHub Actions

December 1, 2022

Read Time:38 Second

The way build artifacts are stored by the GitHub Actions platform could enable attackers to inject malicious code into software projects with CI/CD (continuous integration and continuous delivery) workflows that don’t perform sufficient filtering when downloading artifacts. Cybersecurity researchers have identified several popular artifacts download scripts used by thousands of repositories that are vulnerable to this issue.

“We have discovered that when transferring artifacts between different workflows, there is a major risk for artifact poisoning — a technique in which attackers replace the content of a legitimate artifact with a modified malicious one and thereby initiate a supply chain attack,” researchers from supply chain security firm Legit Security said in an analysis of the issue.

To read this article in full, please click here

Smashing Security podcast #411: The fall of Troy, and whisky barrel scammers

Stripe API Skimming Campaign Unveils New Techniques for Theft

Royal Mail Investigates Data Breach Affecting Supplier

Gray Bots Surge as Generative AI Scraper Activity Increases

Bybit Heist Fuels Record Crypto-Theft Surge, Says CertiK

Rational Astrologies and Security

North Korea’s Fake IT Worker Scheme Sets Sights on Europe

Steam Surges to Top of Most Spoofed Brands List in Q1

ICO Apologizes After Data Protection Response Snafu