Large GitHub repositories lose access tokens, putting code and clouds at risk

An analysis of build artifacts generated by GitHub Actions workflows in large enterprise open source repositories revealed sensitive access tokens for third-party cloud services as well as GitHub itself. In addition, a change to the GitHub artifacts feature made this year introduced a race condition that attackers can exploit to misuse previously unusable GitHub tokens.

The investigation, conducted by Yaron Avital, a researcher at Palo Alto Networks, found secrets in artifacts stored in dozens of public repositories, some of which corresponded to projects from Google, Microsoft, Amazon AWS, Canonical, Red Hat, OWASP, and other major organizations. The tokens provided access to various cloud services and infrastructure, music streaming services, and more.

“This allows malicious actors with access to these artifacts to compromise the services that these secrets provide access to,” Avital wrote in his report. “In most of the vulnerable projects we discovered during this investigation, GitHub tokens are the most common leaks, allowing an attacker to take action against the triggering GitHub repository, potentially leading to the push of malicious code that can enter production via the CI/CD pipeline or access secrets stored in the GitHub repository and GitHub organization.”