GitHub Actions Security Flaw Compromises 5,500 Repositories

A coordinated cyberattack compromised over 5,500 GitHub repositories by abusing the platform's workflow automation tool. Attackers exfiltrated secrets and credentials via malicious bash scripts.

GitHub Actions Security Flaw Compromises 5,500 Repositories

A coordinated cyberattack compromised over 5,500 GitHub repositories by abusing the platform's workflow automation tool, GitHub Actions. The campaign injected malicious bash scripts into automated workflows between 11:36 and 17:48 UTC on May 18. Attackers pushed more than 5,700 malicious commits directly to main branches using disposable accounts disguised as CI bots. This bypassed standard review processes and allowed direct code integration without human oversight.

Malicious scripts injected into automation workflows bypassed review processes.

The attack targeted the core automation infrastructure that developers rely on for continuous integration and deployment pipelines. Threat actors leveraged GitHub Actions to execute unauthorized scripts across a wide range of projects. The compromised workflows ran automatically, enabling rapid propagation of malicious changes without triggering typical security alerts or requiring manual approval from repository maintainers.

Security researchers identified two primary malicious scripts deployed during the campaign. SysDiag automated secret extraction whenever new pushes or pull requests were submitted to affected repositories. Optimize-Build functioned as a persistent backdoor by replacing legitimate workflow configurations with malicious alternatives. These scripts operated silently within the automation environment, maintaining access and collecting sensitive data across multiple compromised systems.

The attackers exfiltrated over 30 distinct types of secrets from the breached repositories. Stolen credentials included cloud platform keys for AWS, GCP, and Azure environments. The campaign also captured API keys, SSH authentication tokens, and deployment credentials used to manage production infrastructure. This broad collection of access tokens enabled potential unauthorized control over connected cloud services and external systems.

The incident highlights critical vulnerabilities in automated workflow security when repository permissions are insufficiently restricted. Disposable accounts impersonating CI bots successfully bypassed standard review gates by mimicking legitimate automation behavior. The campaign demonstrated how attackers can exploit trusted integration points to gain persistent access across multiple projects simultaneously without detection from traditional monitoring tools.

SafeDep reported the large-scale attack and provided detailed analysis of the compromised repositories and malicious scripts. The security firm documented the specific techniques used to disguise automated accounts and maintain persistence within affected workflows. Their findings emphasize the need for stricter verification processes when integrating third-party automation into critical development pipelines.

Discussion

0 comments

Log in to join the thread with a thoughtful take, question, or correction.

Add to the discussion