A vulnerability in GitHub Actions artifacts [3] [4] [5], known as ArtiPACKED [4], has been discovered [4] [5], posing a significant threat to repository security [3].

Description

This exploit targets a race condition in GitHub’s artifact system, allowing attackers to compromise repositories and inject malicious code into widely used software [5]. Researchers at Palo Alto Networks’ Unit 42 uncovered this attack vector [1], which affects GitHub open source projects owned by major companies like Google [1], Microsoft [1] [3], and Amazon Web Services [1] [3]. The vulnerability stems from the mishandling of GitHub tokens within workflow artifacts [5], potentially granting unauthorized access to repositories and compromising services. Malicious actors could download artifacts containing active GitHub tokens before their expiration [5], leading to unauthorized branches in high-profile open-source projects like firebase/firebase-js-sdk and microsoft/TypeScript-repos-automation [4]. This attack exploits artifacts generated in software-development workflows [1], leaking tokens for third-party cloud services and GitHub tokens [1] [3]. This could potentially allow attackers to compromise services [1], push malicious code to production [1] [2], or access secrets stored in GitHub repositories [1]. The impact of this vulnerability is significant [5], with the potential for remote code execution on CI/CD runners or developer workstations [5], bypassing normal security checks [5]. To address this security gap, Unit 42 researchers have developed a custom action called upload-secure-artifact [4], which scans artifacts for potential secret leaks before upload [5]. GitHub has classified this issue as informational [2] [5], urging users to secure their artifacts [2] [5], especially with the deprecation of Artifacts V3 [2]. Organizations utilizing the artifacts mechanism are advised to reassess their practices to enhance security and prevent potential attacks. Unit 42 worked with affected companies to mitigate the issue [1], but other projects may still be vulnerable [1]. The vulnerability has been found in several open-source repositories associated with major companies like Amazon Web Services [3], Google [1] [3] [5], Microsoft [1] [3], Red Hat [3], and Ubuntu [3] [5]. Organizations are urged to reevaluate their use of GitHub’s artifact mechanism to mitigate the risk of these overlooked elements becoming prime targets for attackers [3].

Conclusion

The discovery of the ArtiPACKED vulnerability in GitHub Actions artifacts highlights the critical need for enhanced security measures in software development workflows. Organizations must take proactive steps to secure their repositories and prevent unauthorized access and malicious code injections. The development of tools like upload-secure-artifact by Unit 42 demonstrates the importance of continuous monitoring and mitigation efforts to safeguard against potential attacks. Moving forward, it is imperative for organizations to prioritize security best practices and regularly assess their use of GitHub’s artifact mechanism to mitigate risks and protect valuable assets.

References

[1] https://www.darkreading.com/cloud-security/github-attack-vector-google-microsoft-aws-projects
[2] https://thehackernews.com/2024/08/github-vulnerability-artipacked-exposes.html
[3] https://cybermaterial.com/tokens-leak-risks-github-repository-takeover/
[4] https://securityonline.info/artipacked-a-new-github-actions-vulnerability-exposes-critical-credentials/
[5] https://cybersecuritynews.com/artipacked-github-repositories/