“This level of access can be dangerous if the action is malicious – it can install malware, steal secrets, or make secret changes to your code,” the Orca researchers warn. “The consequences of such access can be dire. Consider an action that releases sensitive information or modifies code to introduce hidden bugs or backdoors, potentially affecting all future builds and deployments. In fact, a vulnerable actor could even use your GitHub credentials to drive malicious changes to other repositories within your organization, amplifying the damage across multiple projects. “
This brings up another important point: It is not the number of affected repositories that matters, but their importance and size. Even if an attacker was able to compromise only 10 repositories this way, one that is part of a popular project could give the attacker access to thousands of users and organizations down the supply chain.
Reduction
GitHub takes action against impersonated accounts when brought to its attention, but users should not rely on that as a defense against typosquatting attacks. Of the 14 typosquatted organizations that Orca created as proof of concept, GitHub has stopped only one in three months – circelci – and that’s probably because someone reported it. CircleCI is one of the most popular CI/CD platforms.
Source link