GitHub Actions Vulnerable to Typosquatting, Exposing Developers to Hidden Malicious Code

Threat actors have long utilized typosquatting as a technique to deceive unwary users into accessing malicious websites or downloading booby-trapped software and packages.

These attacks often include registering domains or packages with names significantly changed from their authentic equivalents (e.g., goog1e.com vs. google.com).

Adversaries targeting open-source repositories across platforms have relied on developers making typing mistakes to begin software supply chain assaults using PyPI, npm, Maven Central, NuGet, RubyGems, and Crate.

The recent results from cloud security company Orca demonstrate that even GitHub Actions, a continuous integration and continuous delivery (CI/CD) platform, is not immune from the danger.

"If developers make a typo in their GitHub action that matches a typosquatter's action, applications could be made to run malicious code without the developer even realizing," security researcher Ofir Yakobi stated in a study published with The Hacker News.

The attack is conceivable because anybody may publish a GitHub Action by opening a GitHub account using a temporary email address. Given that actions operate inside the context of a user's repository, a malicious action might be used to tamper with the source code, extract secrets, and use it to transmit malware.

All that the approach takes is for the attacker to establish organizations and repositories with names that roughly mimic prominent or widely-used GitHub Actions.

If a user commits unintended spelling mistakes while setting up a GitHub action for their project and that misspelled version has already been produced by the adversary, then the user's workflow will perform the malicious action as opposed to the intended one.

"Imagine an action that exfiltrates sensitive information or modifies code to introduce subtle bugs or backdoors, potentially affecting all future builds and deployments," Yakobi stated.

"In fact, a compromised action can even leverage your GitHub credentials to push malicious changes to other repositories within your organization, amplifying the damage across multiple projects."

Orca added that a search on GitHub identified as many as 198 files that execute "action/checkout" or "actons/checkout" instead of "actions/checkout" (notice the missing "s" and "i"), putting all those projects at danger.

This sort of typosquatting is intriguing to threat actors since it's a low-cost, high-impact assault that might result in strong software supply chain breaches, impacting numerous downstream clients all at once.

Users are recommended to double-check actions and their names to verify they are referencing the right GitHub organization, adhere to actions from reliable sources, and frequently monitor their CI/CD processes for typosquatting concerns.

"This experiment highlights how easy it is for attackers to exploit typosquatting in GitHub Actions and the importance of vigilance and best practices in preventing such attacks," Yakobi stated.

"The true situation is far more problematic since here we are merely spotlighting what occurs in public repositories. The effect on private repositories, where the same errors may be leading to severe security breaches, remains unclear."