How can an attacker exploit leaked credentials? In this new series, we try to answer this question by imagining plausible attack scenarios. Fourth case: secrets are stolen with a malicious GitHub action.
Join the DZone community and get the full member experience.
Last time, a cryptocurrency scammer scanned Android APKs on the Internet Archive and found thousands of leaked Twitter API keys. After that, the scammer invested money into an altcoin and used the leaked API keys to promote the altcoin with hijacked Twitter accounts. The story ended with a classic pump-and-dump that made the crypto scammer millions of dollars at the expense of duped investors.
In this series, we will dissect not just what an attacker can do to get access to credentials, but also what they would do after getting that initial access. We will walk through a different threat scenario in each part of the series and tell stories of malicious hackers that are either true, based on a true incident, or reasonably theoretical.
In this scenario, we start out with a full-stack developer at Poor Corp who is trying to get started with automatic builds and deployments using GitHub Actions. Poor Corp has a Jenkins instance that they have used in the past for automating internal jobs, so the developer decides to try using that as part of the CI/CD pipeline. They do a search for “Jenkins” in the GitHub Marketplace to get started, but there don’t seem to be any official-looking actions or apps. The developer browses through a few of the available actions provided by other developers on GitHub and chooses the first one with a helpful README. Little does our developer know, he has just fallen for a trap.
Recently, a malicious hacker has been cloning various GitHub actions in the Marketplace. However, these clones have some additional code in them. The actions work as expected, but in each one, the hacker has added code that steals secrets passed into the action through arguments and environment variables.
