Many top-level open source projects have been discovered leaking GitHub authentication tokens, putting entire projects at risk of data theft and malicious code manipulation.
Cybersecurity researchers from Unit 42 discovered the incident and reported it to both GitHub and the respective project owners. However, GitHub stated that the issue would not be addressed and that the security of auth tokens rests solely with the project owners.
Unit 42 said it has found open source projects including Google, Microsoft, and AWS are leaking GitHub authentication tokens via GitHub Actions artifacts in CI/CD workflows. If an attacker finds these tokens, they can use them to access private repositories, steal or even tamper with source code, turning legitimate projects into malware.
Multiple loads
According to Unit 42, issues such as risky default settings, user misconfiguration and insufficient security controls are at the heart of the problem.
One issue is with the ‘actions/checkout’ action which by default keeps the GitHub token in the local .git directory (obfuscated) because it is required for authenticated operations. But if a developer uploads the full checkout directory for some reason, he/she will unintentionally expose the GitHub token in the .git folder.
More details about the various risk factors Unit 42 discovered can be found at this link.
In total, the researchers found 14 open source projects, belonging to large organizations, whose GitHub tokens are exposed. They reported their findings to each of them:
Firebase (Google)
OpenSearch Security (AWS)
Clair (Red Hat)
Active Directory System (Adsys) (canonical)
JSON Schemas (Microsoft)
TypeScript Repos Automation, TypeScript Bot Test Trigger, Azure Draft (Microsoft)
CycloneDX SBOM (OWASP)
Stockfish
Free event
Guardian for Apache Kafka (Aiven-Open)
Git Attachment (Datalad)
Penrose
Roof
Concrete-ML (Zama AI)
Via BleepingComputer