Get all your news in one place.

100’s of premium titles.
One app.

Get all your news in one place.

100’s of premium titles. One news app.

TechRadar

Sead Fadilpašić

Many top-level open source projects found leaking GitHub auth tokens

GitHub AWS Google Microsoft Red Hat Unit 42

Representational image depecting cybersecurity protection.

Many top-level open source projects have been found leaking GitHub auth tokens, putting entire projects at risk of data theft and malicious code tampering.

Cybersecurity researchers from Unit 42 discovered the mishap and reported it to both GitHub and corresponding project owners - however GitHub said it wouldn’t be addressing the issue, and that the security of auth tokens lies solely with project owners.

Unit 42 said it found open source projects from the likes of Google, Microsoft, and AWS, leaking GitHub authentication tokens through GitHub Actions artifacts in CI/CD workflows. Should a malicious actor find these tokens, they could use them to access private repositories, steal source code, or even tamper with it, turning legitimate projects into malware.

Multiple payloads

That being said, Unit 42 says issues such as risky default settings, user misconfiguration, and insufficient security checks, are at the heart of the problem.

One issue resides in the ‘actions/checkout’ action which, by default, keeps the GitHub token in the local .git directory (hidden), since it’s required for authenticated operations. But if a developer uploads the complete checkout directory for any reason, they will inadvertently expose the GitHub token inside the .git folder.

More details about the different risk factors Unit 42 discovered can be found on this link.

In total, the researchers found 14 open source projects, belonging to major organizations, whose GitHub tokens are being exposed. They reported their findings to each one:

Firebase (Google)
OpenSearch Security (AWS)
Clair (Red Hat)
Active Directory System (Adsys) (Canonical)
JSON Schemas (Microsoft)
TypeScript Repos Automation, TypeScript Bot Test Triggerer, Azure Draft (Microsoft)
CycloneDX SBOM (OWASP)
Stockfish
Libevent
Guardian for Apache Kafka (Aiven-Open)
Git Annex (Datalad)
Penrose
Deckhouse
Concrete-ML (Zama AI)

Via BleepingComputer

More from TechRadar Pro

GitHub malware spreads by hackers spoofing Microsoft files
Here's a list of the best malware removal tools around today
These are the best endpoint security tools right now

Sign up to read this article

Read news from 100’s of titles, curated specifically for you.

Already a member? Sign in here

Top stories on inkl right now

Kamala Harris attacks Trump over ‘immoral’ abortion bans at Wisconsin rally

Kamala Harris attacks Trump over ‘immoral’ abortion bans at Wisconsin rally

Nominee emphasizes support for abortion rights at rally in key state, and declares herself ‘the underdog in this race’

The Guardian - US

Rashida Tlaib condemns cartoonist for racist image of her with exploding pager

Rashida Tlaib condemns cartoonist for racist image of her with exploding pager

Henry Payne’s cartoon of the Palestinian American congresswoman called out as anti-Arab and Islamophobic

The Guardian - US

Ohio’s Republican governor condemns Trump and Vance for Springfield claims

Ohio’s Republican governor condemns Trump and Vance for Springfield claims

Mike DeWine criticizes pair in New York Times op-ed for repeating racist claims about Haitian immigrants

The Guardian - US

Secret Service ‘complacency’ led to security breach in Trump shooting – acting director

Secret Service ‘complacency’ led to security breach in Trump shooting – acting director

Ronald Rowe says ‘lack of diligence’ contributed to shooting at ex-president’s rally and vows to not repeat mistakes

The Guardian - US

One subscription that gives you access to news from hundreds of sites

Already a member? Sign in here

Haiti's insecurity is worsening as gangs seize more territory, UN rights expert says

Haiti's insecurity is worsening as gangs seize more territory, UN rights expert says

A U.N. human rights expert says that gang violence is spreading across Haiti as a U.N.-backed mission targeting criminals remains underfunded and understaffed

The Independent UK

Three Mile Island nuclear reactor to restart to power Microsoft AI operations

Three Mile Island nuclear reactor to restart to power Microsoft AI operations

Pennsylvania plant was site of most serious nuclear meltdown and radiation leak in US history in 1979

The Guardian - US

Related Stories

Top stories on inkl right now

Kamala Harris attacks Trump over ‘immoral’ abortion bans at Wisconsin rally

Kamala Harris attacks Trump over ‘immoral’ abortion bans at Wisconsin rally

Nominee emphasizes support for abortion rights at rally in key state, and declares herself ‘the underdog in this race’

The Guardian - US

Rashida Tlaib condemns cartoonist for racist image of her with exploding pager

Rashida Tlaib condemns cartoonist for racist image of her with exploding pager

Henry Payne’s cartoon of the Palestinian American congresswoman called out as anti-Arab and Islamophobic

The Guardian - US

Ohio’s Republican governor condemns Trump and Vance for Springfield claims

Ohio’s Republican governor condemns Trump and Vance for Springfield claims

Mike DeWine criticizes pair in New York Times op-ed for repeating racist claims about Haitian immigrants

The Guardian - US

Secret Service ‘complacency’ led to security breach in Trump shooting – acting director

Secret Service ‘complacency’ led to security breach in Trump shooting – acting director

Ronald Rowe says ‘lack of diligence’ contributed to shooting at ex-president’s rally and vows to not repeat mistakes

The Guardian - US

One subscription that gives you access to news from hundreds of sites

Already a member? Sign in here

Haiti's insecurity is worsening as gangs seize more territory, UN rights expert says

Haiti's insecurity is worsening as gangs seize more territory, UN rights expert says

A U.N. human rights expert says that gang violence is spreading across Haiti as a U.N.-backed mission targeting criminals remains underfunded and understaffed

The Independent UK

Three Mile Island nuclear reactor to restart to power Microsoft AI operations

Three Mile Island nuclear reactor to restart to power Microsoft AI operations

Pennsylvania plant was site of most serious nuclear meltdown and radiation leak in US history in 1979

The Guardian - US

Our Picks

Demi Moore Shares the Relatable Reason Why She Doesn’t Give Her Daughter Rumer Willis Parenting Advice

“It is better that I just keep my mouth shut.”

How to watch 'The Voice' season 26 online — TV channel and live streams

Here's how to watch "The Voice" season 26 wherever you are, with Gwen Stefani and Reba McEntire joined by new coaches Michael Bublé and Snoop Dogg.

Carnival Cruise Line adds an item to banned list

The cruise line has changed its prohibited items list, and passengers need to know about the move.

4 social media mistakes that can ruin relationships

By being aware of so-called social media transgressions, couples can identify them before they do real relationship damage.

Kelly Osbourne Reveals Matthew Perry’s Kind Gesture From Rehab She’ll “Never Forget”

As Kelly Osbourne spoke about Matthew Perry, she said: "I wish I could say that I was surprised by his death." The post Kelly Osbourne Reveals Matthew Perry’s Kind Gesture From Rehab She’ll “Never Forget” first appeared on Bored Panda.

“Suddenly I smelled burning”: Timbaland's beat for Nelly Furtado's Maneater was so fire that flames started coming out of the speaker when he played it to her

Furtado has also reiterated her love of Oasis, and says that “I feel like Noel Gallagher taught me to play guitar without him knowing"

Fourteen days free

Download the app

One app. One membership.
100+ trusted global sources.

Download on the AppStore

Get it on Google Play