Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Many top-level open source projects found leaking GitHub auth tokens

Representational image depecting cybersecurity protection.

Many top-level open source projects have been found leaking GitHub auth tokens, putting entire projects at risk of data theft and malicious code tampering.

Cybersecurity researchers from Unit 42 discovered the mishap and reported it to both GitHub and corresponding project owners - however GitHub said it wouldn’t be addressing the issue, and that the security of auth tokens lies solely with project owners.

Unit 42 said it found open source projects from the likes of Google, Microsoft, and AWS, leaking GitHub authentication tokens through GitHub Actions artifacts in CI/CD workflows. Should a malicious actor find these tokens, they could use them to access private repositories, steal source code, or even tamper with it, turning legitimate projects into malware.

Multiple payloads

That being said, Unit 42 says issues such as risky default settings, user misconfiguration, and insufficient security checks, are at the heart of the problem.

One issue resides in the ‘actions/checkout’ action which, by default, keeps the GitHub token in the local .git directory (hidden), since it’s required for authenticated operations. But if a developer uploads the complete checkout directory for any reason, they will inadvertently expose the GitHub token inside the .git folder.

More details about the different risk factors Unit 42 discovered can be found on this link.

In total, the researchers found 14 open source projects, belonging to major organizations, whose GitHub tokens are being exposed. They reported their findings to each one:

Firebase (Google)
OpenSearch Security (AWS)
Clair (Red Hat)
Active Directory System (Adsys) (Canonical)
JSON Schemas (Microsoft)
TypeScript Repos Automation, TypeScript Bot Test Triggerer, Azure Draft (Microsoft)
CycloneDX SBOM (OWASP)
Stockfish
Libevent
Guardian for Apache Kafka (Aiven-Open)
Git Annex (Datalad)
Penrose
Deckhouse
Concrete-ML (Zama AI)

Via BleepingComputer

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.