News

Hi folks.

I hope the week's email finds you well! :-) There's some valuable lessons on Github Actions, and an eye-watering $32B acquisition by Google. I hope you enjoy the read!

I'll be pausing the newsletter for about two months. There's a big maintenance window coming up at the powerplant where I work, which requires all hands on deck, and after that we're moving house. When all that is done, I'll be back :-) Cheers!

Dieter Van der Stock

Github Actions supply chain attack

A re-usable Github action building block, 'tj-actions/changed-files', which is used by 23,000 repositories, was hijacked. The attackers injected code that dumped CI secrets as a readable file in the affected Github repository. The impact is somewhat limited though, with "only" 218 repositories actually ending up exposing secrets.

If you use Github actions yourself it's a very worthwhile read to extract some lessons from. Like for example not pinning your actions to certain versions, because those can still be changed. Instead it is recommended to pin them to specific commit hashes.

Three articles that explain it well, in chronological order:

  • Supply chain attack on popular GitHub Action exposes CI/CD secrets: link.
  • GitHub Action hack likely led to another in cascading supply chain attack: link.
  • GitHub Action supply chain attack exposed secrets in 218 repos: link.




Quick links

  • New Windows zero-day exploited by 11 state hacking groups since 2017: link.
  • Sperm donation giant California Cryobank warns of a data breach: link.
  • Veeam RCE bug lets domain users hack backup servers, patch now: link.
  • Critical RCE flaw in Apache Tomcat actively exploited in attacks: link.
  • GitLab patches critical authentication bypass vulnerabilities: link.