Risky Bulletin: GitHub supply chain attack leaks secrets - Risky Bulletin

Summary

Risky Bulletin: GitHub Supply Chain Attack Leaks Secrets Hosted by Patrick Gray on Risky.biz | Released: March 16, 2025

Introduction

In the March 17th episode of Risky Bulletin, hosted by Patrick Gray, the Risky Business team delves into several critical cybersecurity incidents and developments. This episode, titled “GitHub Supply Chain Attack Leaks Secrets,” provides an in-depth analysis of a recent GitHub breach, government responses to cybersecurity challenges, legislative changes affecting digital security, and notable cyber threats impacting global infrastructure.

GitHub Supply Chain Attack

Overview of the Breach

Patrick Gray opens the episode by detailing a significant supply chain attack on GitHub. An unidentified attacker infiltrated a widely-used GitHub action, compromising both current and older versions of changed files across more than 23,000 projects. The malicious code executed a Python script designed to extract secret tokens from the GitHub server's memory and subsequently wrote these tokens to the build logs.

Impact and Response

"An unknown attacker used malicious code they snuck into a popular GitHub action to steal secret keys," Gray explains at [00:04]. The exposure of these secret tokens poses a severe risk, especially since build logs for public repositories are publicly accessible. As a result, the podcast emphasizes the urgent need for affected projects to revoke and replace all compromised secret tokens to mitigate unauthorized access.

Security Recommendations

The episode underscores the importance of vigilance in managing supply chain dependencies and regularly auditing code repositories for unauthorized changes. GitHub’s prompt removal of the malicious library from Maven Central and GitHub itself highlights the platform’s swift response to such threats.

Government Responses to Cybersecurity Challenges

U.S. Federal Agencies Urged to Retain Cyber Staff

Patrick Gray reports that the White House has intervened to prevent further layoffs in federal cybersecurity teams. Citing an email from US Federal Chief Information Officer Greg Barbaccia viewed by Reuters, Gray states, “Cybersecurity is national security related and should be exempt from layoffs” ([00:04]). This directive follows significant layoffs, including over 130 roles at the Cybersecurity and Infrastructure Security Agency (CISA).

Expert Warnings

Former NSA Director of Cybersecurity, Rob Joyce, addressed Congress, warning that mass firings could leave government networks vulnerable to foreign cyberattacks. His testimony underscores the intrinsic link between robust cybersecurity staffing and national security.

Germany’s Fiscal Policy Adjustment for Cybersecurity

The podcast highlights Germany's strategic decision to exclude cybersecurity spending from debt caps, reversing previous borrowing restrictions set during the 2009 Global Financial Crisis. This move allows Germany to increase defense and cybersecurity budgets amid deteriorating US-Europe relations and growing global cyber threats.

Legislative Changes and Surveillance Concerns

Turkey's New Cybersecurity Law

Gray discusses Turkey's passage of a stringent cybersecurity law, granting the Cyber Security Directorate expansive powers to collect and search digital records. This law also criminalizes the reporting of unverified security incidents, with penalties reaching up to five years imprisonment. The rapid passage of this legislation in under six weeks has raised alarms among opposition parties, who argue that it erodes free speech and establishes a pervasive surveillance state.

Cyberattacks on Healthcare and Critical Infrastructure

Ransomware Impact in Micronesia

The episode covers a crippling ransomware attack on Micronesia’s health system, which led to the entire network being taken offline to contain the breach. With a population of over 12,000, Micronesia joins other Pacific nations like Tonga, Palau, and Vanuatu in suffering from severe ransomware disruptions, highlighting a regional vulnerability in critical infrastructure.

Russian Cybercrime Crackdown

Russian authorities have detained the alleged new administrator of the Banshee Stealer malware, a tool known for extracting credentials from macOS systems. The malware's source code was reportedly sold to a new owner in December 2024, broadening its threat landscape. Additionally, US authorities have extradited Rostislav Panev, a Russian-Israeli national, for his involvement in developing Lockbit ransomware, exemplifying international efforts to combat cybercrime.

Scams and Malware Threats

Coinbase Scam Alert

Coinbase has issued warnings about a sophisticated scam targeting its users. Attackers send fraudulent emails purportedly from Coinbase, instructing users to transfer funds to a pre-established wallet. Upon moving the funds, users receive recovery phrases which the attackers exploit to steal assets. This highlights the ongoing challenge of phishing and social engineering attacks in the cryptocurrency space.

Malicious Java Library and OAuth Credential Theft

A covert Java library was identified stealing OAuth credentials on the 15th of every month. Disguised as a legitimate OAuth library, the malware was distributed via the Maven package repository starting January 2024. Although it has since been removed from Maven Central and GitHub, the incident underscores the persistent threat of malicious libraries in open-source ecosystems.

EdMax Security Camera Vulnerability

Multiple botnets have exploited a zero-day command injection vulnerability in EdMax security cameras since October 2024. Despite a public proof of concept being available for over a year, the zero-day was actively exploited, emphasizing the importance of timely vulnerability disclosures and patch management.

Corporate and Legal Developments

Meta vs. NSO Group

Meta is seeking approximately $450,000 in damages from Israeli spyware firm NSO Group. This legal battle stems from Meta’s 2019 lawsuit alleging that NSO exploited vulnerabilities to conduct hacks. After years of legal maneuvering, a US court found NSO liable in December 2024, marking a significant precedent in holding spyware companies accountable.

Rafael Satter's Legal Battle

Rafael Satter, a Reuters Cyber Security reporter, is suing the Indian government following the revocation of his dual citizenship. The cancellation, prompted by his investigative reporting on Appen’s involvement in hacker-for-hire services, has barred him from traveling to India and drawn criticism over press freedom and citizenship rights.

Technological Advancements and Privacy Enhancements

Rich Communication Services (RCS) Encryption

The GSM Association announced the latest RCS standard now supports end-to-end encryption, with major tech players Apple and Google committing to support this feature in future releases. This advancement aims to provide secure messaging alternatives to SMS, promoting privacy across Android and iOS platforms.

Amazon’s Alexa Voice Recording Changes

Amazon will discontinue the option to locally process Alexa voice requests on certain Echo devices effective March 28th. Post this update, all voice data will be processed in the cloud, and the "Do Not Send Voice Recordings" option will be renamed to "Don't Save Recordings," ensuring voice data is deleted after processing.

Data Exposure and Secret Leaks

GitHub Repository Secret Leaks

In 2024, nearly 24 million hard-coded secrets were leaked via GitHub repositories, a 25% increase from the previous year. The most commonly exposed secrets included ODBC connection strings and AWS IAM credentials. Security firm GitGuardian notes a troubling trend: secret leaks are escalating despite GitHub's detection efforts during code pushes. Moreover, 70% of secrets detected in public repositories in 2022 remain active today, posing ongoing security threats.

Conclusion

Patrick Gray wraps up the episode by reiterating the importance of robust cybersecurity measures across all sectors. From supply chain vulnerabilities to legislative changes and evolving malware threats, the episode underscores the dynamic and persistent nature of cyber risks in today’s interconnected world. Listeners are encouraged to stay informed and proactive in safeguarding their digital assets.

Notable Quotes:

Patrick Gray [00:04]: "An unknown attacker used malicious code they snuck into a popular GitHub action to steal secret keys."

For more detailed insights and updates, subscribe to Risky Bulletin at risky.biz.

Transcript

Patrick Gray (0:04)

A GitHub supply chain attack leaks secrets the White House tells federal agencies to stop firing cyber staff. Germany exempts cybersecurity from debt limits and the RCS standard adds support for end to end encryption. This is the risky bulletin prepared by Catalyn Kimpanu and read by me, Patrick Gray, filling in for Clair Aird. Today is March 17th and this podcast is brought to you by the not no Code automation platform tines. An unknown attacker used malicious code they snuck into a popular GitHub action to steal secret keys. The incident took place on Friday and impacted changed files, an automated action used by more than 23,000 GitHub projects. The malicious code was added to the current and older versions of changed files. That code downloaded and ran a Python script that searched the GitHub server's memory and wrote any secret tokens it found to the build log. Anyone can read build logs for public GitHub repositories, so projects that use the compromised action should change all their secret tokens. The White House has urged federal agencies to refrain from firing their cybersecurity staff. In an email seen by Reuters, US Federal Chief Information Officer Greg Barbaccia told the agency that cybersecurity is national security related and should be exempt from layoffs. The call comes following a wave of layoffs this year, including more than 130 CISA roles. Former NSA Director of cybersecurity Rob Joyce warned Congress earlier this month that the mass firings would leave government networks exposed to attacks from foreign adversaries. Germany's incoming government will exclude cybersecurity spending from debt caps. Overall public sector borrowing was restricted to 0.35% of GDP during the 2009 Global Financial Financial crisis. Cybersecurity is one of several sectors that will be excluded from the debt restrictions as Germany seeks to raise defence spending and rearm as US Europe relations deteriorate. The Turkish parliament has passed a new law giving the country's Cyber Security Directorate broad powers to collect and search digital records. The new cyber security law also targets people who report on security incidents that have not been confirmed by the government. Offenders could face up to five years imprisonment. Officials fast tracked the bill, which passed in less than six weeks. The country's opposition argues the bill lays a legal foundation to restrict free speech and establish a sprawling surveillance apparatus. A ransomware attack has taken down the health system of an entire state In Micronesia, officials took the health systems network offline to respond to the incident. The state is home to more than 12,000 residents. Micronesia is the latest Pacific nation to suffer a crippling ransomware attack. Tonga, Palau and Vanuatu have also been targeted in recent years. Russian authorities have arrested the alleged new administrator of the Banshee Stealer malware. Police detained the suspect after the malware allegedly targeted Russian users. The Banshee Stealer is one of the few infostealers that loots credentials from macOS systems. The malware's original author sold the source code to a new owner in December 2024. US authorities have extradited a Russian Israeli national for his role in developing the Lockbit ransomware. Rostislav Panev was initially arrested in Israel in August last year. Israeli investigators allegedly found evidence at his home linking him to lock bit ransom notes and payments. Cryptocurrency exchange Coinbase has warned of a scam that tricks users into moving funds into a wallet set up in advance by attackers. Users have reported emails claiming to be from Coinbase that prompt users to migrate funds to a self custodial wallet. Users are given recovery phrases generated by the attackers once the funds have been moved. The attackers use the recovery phrase to steal the assets. A malicious Java library was spotted secretly stealing OAuth credentials on the 15th of every month. Socket Security says the package mimicked the name of a popular OAuth library. It was available via the Maven package repository from January 2024. Since being discovered, the malicious library has been removed from Maven Central and GitHub, staying with GitHub and its security team, has discovered two vulnerabilities in the Ruby SAML authentication libra. The vulnerabilities can be used to bypass SAML authentication and log in as anyone. GitHub says attackers only need a single valid signature to create SAML assertions for any other user. Patches were released last week. Meta is seeking financial damages of close to $450,000 from Israeli spyware maker NSO Group. The amount covers the costs incurred while investigating a wave of attacks using an NSO exploit in 2019. Metta sued NSO the same year, and after years of stonewalling the US Courts, a judge found the Israeli company liable for the hacks in December 2024. Reuters Cyber Security reporter Rafael Satter is suing the Indian government for cancelling his dual citizenship. Satter is American and based in Washington, D.C. and received Indian citizenship through marriage. The cancellation means he can no longer travel to India. Indian officials cancelled SATA's citizenship in December 2023 after the Reuters team published a story exposing Indian company Appen as a provider of hacker for hire services. Officials claimed Satter's work besmirched India's international reputation. The GSM association has released a new version of the Rich Communication Services standard that supports end to end encryption. Both Apple and Google have said they will support encrypted RCS in future releases. The implementations will be compatible and allow Android and iOS users to exchange secure messages on supported mobile networks. Google began pushing for RCS to replace SMS in the mid 2010s. Amazon will remove the option to locally process Alexa voice requests on some Echo smart speakers. The feature will be removed on March 28. After this, all Alexa requests will be processed in the cloud. Amazon says the Do Not Send voice Recordings option will be renamed to Don't Save Recordings. This will delete the voice recordings from the cloud after they're processed. Multiple botnets have been seen exploiting a zero day command injection vulnerability in EdMax security cameras. Widespread exploitation was first seen in October 24, but even then a public proof of concept had already been available for the bug for over a year. Developers leaked almost 24 million hard coded secrets via GitHub repositories last year, which is up 25% on the previous year. The top most common secrets leaked in 2024 were ODBC connection strings and AWS IAM credentials. Security firm GitGuardian says secret leaks are steadily worsening over time, despite GitHub's efforts to detect them during the push stage. The company also says that 70% of the secrets detected in public repos in 2022 remain active even today. That's all for this podcast edition. Today's show was brought to you by our sponsor Tynes. Find them@tynes.com.