Threat actors have been exploiting typosquatting to deceive users into accessing malicious websites or downloading harmful software [4]. Recent findings from security researchers at Orca have revealed that even GitHub Actions, a popular CI/CD platform, is susceptible to typosquatting attacks [5].

Description

This tactic involves registering domains or packages with names that closely resemble legitimate ones. Orca Security conducted a study on typosquatting attacks in the GitHub Actions ecosystem [2], registering 14 misspelled GitHub organizations to demonstrate the potential risks [2]. Attackers can create malicious actions that execute code without the developer’s awareness [4], potentially leading to the theft of sensitive information or the distribution of malware. Typosquatting can lead to developers unknowingly executing malicious workflows in their repositories [2], as demonstrated by the researchers [2]. By establishing organizations and repositories with names similar to well-known GitHub Actions [4], attackers can take advantage of users’ typos to execute malicious actions. The impact of typosquatting is significant due to the large number of developers on GitHub [2], with even a statistically rare occurrence potentially affecting thousands of victims [2]. This type of typosquatting poses a significant threat to software supply chains and has the potential to impact multiple projects simultaneously. Attackers can easily automate the creation of fake GitHub organizations and backdoor their code [2], leading to low-cost [2], high-impact attacks [1] [2]. The ability to execute malicious actions against others’ code can result in software supply chain attacks [2], compromising organizations and users who consume the backdoored code [2]. To mitigate the risk of such attacks, users are advised to carefully verify actions [5], rely on trusted sources, and inspect workflows for any signs of typosquatting. Mitigation strategies recommended by the researchers include double-checking actions and their names before use [2], choosing actions from verified creators [2], using version tags or commit SHAs [2], integrating security tools to scan for potential issues [2], and raising awareness among teams about typosquatting risks [2]. The vulnerability of GitHub Actions to typosquatting attacks underscores the importance of vigilance and best practices to prevent such attacks, especially in private repositories where the impact could be more severe [5]. Orca Security’s report also highlights the risk of supply chain compromises in GitHub projects with typos in the “action/checkout” command, emphasizing the potential for low-cost, high-impact attacks that could affect multiple downstream customers simultaneously [1].

Conclusion

The impact of typosquatting attacks on GitHub Actions highlights the need for increased vigilance and adherence to best practices to prevent such attacks. Mitigation strategies [2], such as verifying actions, relying on trusted sources, and inspecting workflows for signs of typosquatting, are crucial in safeguarding against potential risks. The potential for low-cost [3], high-impact attacks underscores the importance of maintaining awareness and implementing security measures to protect software supply chains and prevent compromises in GitHub projects. Future implications may include the development of more robust security protocols and increased education on the risks of typosquatting in the software development community.

References

[1] https://vulners.com/thn/THN:27E474E2DC931C44CFDEC02F36FBAB71
[2] https://www.csoonline.com/article/3506897/github-actions-typosquatting-a-high-impact-supply-chain-attack-in-waiting.html
[3] https://orca.security/resources/blog/typosquatting-in-github-actions/
[4] https://thehackernews.com/2024/09/github-actions-vulnerable-to.html
[5] https://secoperations.wordpress.com/2024/09/07/github-actions-vulnerable-to-typosquatting-exposing-developers-to-hidden-malicious-code/