Risky Bulletin: GitHub Supply Chain Attack Leaks Secrets Hosted by Patrick Gray on Risky.biz | Released: March 16, 2025

Introduction

In the March 17th episode of Risky Bulletin, hosted by Patrick Gray, the Risky Business team delves into several critical cybersecurity incidents and developments. This episode, titled “GitHub Supply Chain Attack Leaks Secrets,” provides an in-depth analysis of a recent GitHub breach, government responses to cybersecurity challenges, legislative changes affecting digital security, and notable cyber threats impacting global infrastructure.

GitHub Supply Chain Attack

Overview of the Breach

Patrick Gray opens the episode by detailing a significant supply chain attack on GitHub. An unidentified attacker infiltrated a widely-used GitHub action, compromising both current and older versions of changed files across more than 23,000 projects. The malicious code executed a Python script designed to extract secret tokens from the GitHub server's memory and subsequently wrote these tokens to the build logs.

Impact and Response

"An unknown attacker used malicious code they snuck into a popular GitHub action to steal secret keys," Gray explains at [00:04]. The exposure of these secret tokens poses a severe risk, especially since build logs for public repositories are publicly accessible. As a result, the podcast emphasizes the urgent need for affected projects to revoke and replace all compromised secret tokens to mitigate unauthorized access.

Security Recommendations

The episode underscores the importance of vigilance in managing supply chain dependencies and regularly auditing code repositories for unauthorized changes. GitHub’s prompt removal of the malicious library from Maven Central and GitHub itself highlights the platform’s swift response to such threats.

Government Responses to Cybersecurity Challenges

U.S. Federal Agencies Urged to Retain Cyber Staff

Patrick Gray reports that the White House has intervened to prevent further layoffs in federal cybersecurity teams. Citing an email from US Federal Chief Information Officer Greg Barbaccia viewed by Reuters, Gray states, “Cybersecurity is national security related and should be exempt from layoffs” ([00:04]). This directive follows significant layoffs, including over 130 roles at the Cybersecurity and Infrastructure Security Agency (CISA).

Expert Warnings

Former NSA Director of Cybersecurity, Rob Joyce, addressed Congress, warning that mass firings could leave government networks vulnerable to foreign cyberattacks. His testimony underscores the intrinsic link between robust cybersecurity staffing and national security.

Germany’s Fiscal Policy Adjustment for Cybersecurity

The podcast highlights Germany's strategic decision to exclude cybersecurity spending from debt caps, reversing previous borrowing restrictions set during the 2009 Global Financial Crisis. This move allows Germany to increase defense and cybersecurity budgets amid deteriorating US-Europe relations and growing global cyber threats.

Legislative Changes and Surveillance Concerns

Turkey's New Cybersecurity Law

Gray discusses Turkey's passage of a stringent cybersecurity law, granting the Cyber Security Directorate expansive powers to collect and search digital records. This law also criminalizes the reporting of unverified security incidents, with penalties reaching up to five years imprisonment. The rapid passage of this legislation in under six weeks has raised alarms among opposition parties, who argue that it erodes free speech and establishes a pervasive surveillance state.

Cyberattacks on Healthcare and Critical Infrastructure

Ransomware Impact in Micronesia

The episode covers a crippling ransomware attack on Micronesia’s health system, which led to the entire network being taken offline to contain the breach. With a population of over 12,000, Micronesia joins other Pacific nations like Tonga, Palau, and Vanuatu in suffering from severe ransomware disruptions, highlighting a regional vulnerability in critical infrastructure.

Russian Cybercrime Crackdown

Russian authorities have detained the alleged new administrator of the Banshee Stealer malware, a tool known for extracting credentials from macOS systems. The malware's source code was reportedly sold to a new owner in December 2024, broadening its threat landscape. Additionally, US authorities have extradited Rostislav Panev, a Russian-Israeli national, for his involvement in developing Lockbit ransomware, exemplifying international efforts to combat cybercrime.

Scams and Malware Threats

Coinbase Scam Alert

Coinbase has issued warnings about a sophisticated scam targeting its users. Attackers send fraudulent emails purportedly from Coinbase, instructing users to transfer funds to a pre-established wallet. Upon moving the funds, users receive recovery phrases which the attackers exploit to steal assets. This highlights the ongoing challenge of phishing and social engineering attacks in the cryptocurrency space.

Malicious Java Library and OAuth Credential Theft

A covert Java library was identified stealing OAuth credentials on the 15th of every month. Disguised as a legitimate OAuth library, the malware was distributed via the Maven package repository starting January 2024. Although it has since been removed from Maven Central and GitHub, the incident underscores the persistent threat of malicious libraries in open-source ecosystems.

EdMax Security Camera Vulnerability

Multiple botnets have exploited a zero-day command injection vulnerability in EdMax security cameras since October 2024. Despite a public proof of concept being available for over a year, the zero-day was actively exploited, emphasizing the importance of timely vulnerability disclosures and patch management.

Corporate and Legal Developments

Meta vs. NSO Group

Meta is seeking approximately $450,000 in damages from Israeli spyware firm NSO Group. This legal battle stems from Meta’s 2019 lawsuit alleging that NSO exploited vulnerabilities to conduct hacks. After years of legal maneuvering, a US court found NSO liable in December 2024, marking a significant precedent in holding spyware companies accountable.

Rafael Satter's Legal Battle

Rafael Satter, a Reuters Cyber Security reporter, is suing the Indian government following the revocation of his dual citizenship. The cancellation, prompted by his investigative reporting on Appen’s involvement in hacker-for-hire services, has barred him from traveling to India and drawn criticism over press freedom and citizenship rights.

Technological Advancements and Privacy Enhancements

Rich Communication Services (RCS) Encryption

The GSM Association announced the latest RCS standard now supports end-to-end encryption, with major tech players Apple and Google committing to support this feature in future releases. This advancement aims to provide secure messaging alternatives to SMS, promoting privacy across Android and iOS platforms.

Amazon’s Alexa Voice Recording Changes

Amazon will discontinue the option to locally process Alexa voice requests on certain Echo devices effective March 28th. Post this update, all voice data will be processed in the cloud, and the "Do Not Send Voice Recordings" option will be renamed to "Don't Save Recordings," ensuring voice data is deleted after processing.

Data Exposure and Secret Leaks

GitHub Repository Secret Leaks

In 2024, nearly 24 million hard-coded secrets were leaked via GitHub repositories, a 25% increase from the previous year. The most commonly exposed secrets included ODBC connection strings and AWS IAM credentials. Security firm GitGuardian notes a troubling trend: secret leaks are escalating despite GitHub's detection efforts during code pushes. Moreover, 70% of secrets detected in public repositories in 2022 remain active today, posing ongoing security threats.

Conclusion

Patrick Gray wraps up the episode by reiterating the importance of robust cybersecurity measures across all sectors. From supply chain vulnerabilities to legislative changes and evolving malware threats, the episode underscores the dynamic and persistent nature of cyber risks in today’s interconnected world. Listeners are encouraged to stay informed and proactive in safeguarding their digital assets.

Notable Quotes:

• Patrick Gray [00:04]: "An unknown attacker used malicious code they snuck into a popular GitHub action to steal secret keys."

For more detailed insights and updates, subscribe to Risky Bulletin at risky.biz.