Surprising workflow_dispatch runs within the Actions tab may very well be a warning signal, the researchers stated in a weblog publish. “For those who use OIDC federation for cloud deployments, evaluation cloud audit logs for token requests from unknown workflow runs.”
The malicious commits had been seen modifying Github Actions workflows to incorporate base64-encoded bash payloads designed to steal secrets and techniques uncovered throughout CI execution, together with cloud credentials, SSH keys, OpenID Join (OIDC) tokens, supply code secrets and techniques, and different atmosphere variables.
Among the many hardest-hit tasks had been Wiznet’s ioLibrary_Driver repository, 4 Tiledesk repositories, and 4 persian-tools repositories, with nicely over 2,000 malicious commits between them.
A later weblog publish by OX Safety flagged some similarities to the widespread TeamPCP compromises, significantly using hardcoded historic commit dates. This was a trick utilized in TeamPCP-linked operations to cover the true timing of malicious exercise.
