GitHub shares vulnerable to typosquatting, exposing developers to hidden malicious code

Sep 6, 2024Ravi LakshmananSoftware Security/Hacking

Cybercriminal attackers have long used typosquatting as a method to trick unsuspecting users into visiting malicious sites or downloading infected programs and packages.

These types of attacks usually involve registering domains or packages with names that are slightly different from their legitimate counterparts (e.g. goog1e.com vs. google.com).

Adversaries targeting open source repositories on various platforms are exploiting typographical errors made by developers to initiate attacks on the software supply chain via PyPI, npm, Maven Central, NuGet, RubyGems, and Crate.

Recent findings from cloud security firm Orca show that even GitHub Actions, a continuous integration and continuous delivery (CI/CD) platform, is not immune to this threat.

“If developers make a typo in their GitHub action that matches the typosquatter behavior, apps can run malicious code without the developer even knowing it,” said Ofir Yakobi, a security researcher, in a report shared with The Hacker News.

The attack is possible because anyone can publish a GitHub action by creating a GitHub account with a temporary email address. Given that actions are run in the context of the user’s repository, a malicious action can be used to manipulate the source code, steal secrets, and use it to deliver malware.

The whole technique is that the attacker creates organizations and repositories with names that closely resemble popular or widely used GitHub shares.

If a user accidentally makes spelling mistakes when configuring a GitHub action for their project and this misspelled version has already been created by an attacker, then the user’s workflow will trigger the malicious action rather than the intended one.

“Imagine an activity that exfiltrates sensitive information or modifies code to introduce subtle bugs or backdoors, potentially impacting all future builds and deployments,” Yakobi said.

“In fact, the compromised operation could even leverage your GitHub credentials to push malicious changes to other repositories in your organization, compounding the damage across multiple projects.”

Orca said a search of GitHub revealed as many as 198 files that call “action/checkout” or “actons/checkout” instead of “actions/checkout” (note the missing “s” and “i”), putting all of those projects at risk.

This form of typosquatting is attractive to cybercriminals because it is a cheap and effective attack that can result in significant breaches of the software supply chain while affecting several downstream customers.

Users are advised to carefully review actions and their names to ensure they reference the correct GitHub organization, use actions from trusted sources, and periodically scan CI/CD processes for typosquatting errors.

“This experiment demonstrates how easily attackers can exploit typosquatting in GitHub Actions and how important vigilance and best practices are in preventing such attacks,” Yakobi said.

“The real problem is even more disturbing, since we are only highlighting what happens in public repositories here. The impact on private repositories, where the same typos can lead to serious security breaches, remains unknown.”