1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Jaw-dropping security flaws found in open source code could allow

    From TechnologyDaily@1337:1/100 to All on Wed Jun 18 22:15:07 2025
    Jaw-dropping security flaws found in open source code could allow hackers to spirit away entire projects - here's what devs need to know

    Date:
    Wed, 18 Jun 2025 21:09:00 +0000

    Description:
    Sysdig uncovered massive GitHub workflow flaws allowing attackers to hijack projects and steal secrets.

    FULL STORY ======================================================================Sysdig exposed how a trusted GitHub feature can silently hand control to attackers pull_request_target isnt just risky, its a loaded weapon in the wrong hands Even top-tier security projects like MITREs can fall to simple GitHub
    workflow misconfigurations

    Experts have revealed several critical vulnerabilities in GitHub Actions workflows which could pose serious risks to some major open source projects.

    A recent investigation by Sysdigs Threat Research Team (TRT) has exposed how misconfigurations, particularly involving the pull_request_target trigger, could let attackers seize control over active repositories or extract sensitive credentials.

    The team demonstrated this by compromising projects from well-known organizations such as MITRE and Splunk. GitHub Actions: A powerful tool with dangerous pitfalls

    GitHub Actions is widely adopted in modern software development for its automation capabilities, but this convenience often hides security risks.

    Modern supply chain attacks frequently begin by abusing insecure workflows, the report states, noting how secrets like tokens or passwords embedded in workflows can be exploited if improperly secured.

    Despite available best practices and documentation, many repositories
    continue to use high-risk configurations, either from oversight or a lack of awareness.

    At the core of the problem is the pull_request_target trigger, which runs workflows in the context of the main branch.

    This setup grants elevated privileges, including access to GITHUB_TOKEN and repository secrets, to code submitted from forks.

    While intended to facilitate pre-merge testing, this mechanism also allows execution of untrusted code, creating an attack surface that is easily overlooked.

    The risks are not hypothetical, they are real.

    In the Spotipy repository, which integrates with Spotifys Web API, Sysdig discovered a setup where a crafted setup.py could execute code and harvest secrets.

    In MITREs Cybersecurity Analytics Repository (CAR), attackers were able to execute arbitrary code by modifying dependencies.

    Sysdig confirmed it was possible to take over the GitHub account associated with the project.

    Even Splunks security_content repository had secrets like APPINSPECTUSERNAME and APPINSPECTPASSWORD exposed, despite the limited scope of the
    GITHUB_TOKEN.

    Developers should reassess the use of pull_request_target, considering safer alternatives - Sysdig recommends separating workflows, using unprivileged checks first, and only allowing sensitive tasks after validation.

    Limiting the capabilities of tokens and adopting real-time monitoring with tools like Falco Actions can also provide vital protection. You might also like Take a look at the best malware removal options around Weve rounded up a list of the best endpoint protection tools Check out the best antivirus for extra protection too



    ======================================================================
    Link to news story: https://www.techradar.com/computing/artificial-intelligence/jaw-dropping-flaws -found-in-open-source-projects-could-allow-hackers-to-take-away-entire-project s-heres-what-devs-need-to-know


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)