Many top-level open source projects found leaking GitHub auth tokens

Google, AWS, Red Hat, and others, have had vulnerable projects sitting on GitHub

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Many top-levelopen sourceprojects have been found leaking GitHub auth tokens, putting entire projects at risk of data theft and malicious code tampering.

Cybersecurity researchers from Unit 42 discovered the mishap and reported it to both GitHub and corresponding project owners - however GitHub said it wouldn’t be addressing the issue, and that the security of auth tokens lies solely with project owners.

Unit 42 said it found open source projects from the likes ofGoogle,Microsoft, and AWS, leaking GitHub authentication tokens through GitHub Actions artifacts in CI/CD workflows. Should a malicious actor find these tokens, they could use them to access private repositories, steal source code, or even tamper with it, turning legitimate projects intomalware.

Multiple payloads

Multiple payloads

That being said, Unit 42 says issues such as risky default settings, user misconfiguration, and insufficient security checks, are at the heart of the problem.

One issue resides in the ‘actions/checkout’ action which, by default, keeps the GitHub token in the local .git directory (hidden), since it’s required for authenticated operations. But if a developer uploads the complete checkout directory for any reason, they will inadvertently expose the GitHub token inside the .git folder.

More details about the different risk factors Unit 42 discovered can be found onthis link.

In total, the researchers found 14 open source projects, belonging to major organizations, whose GitHub tokens are being exposed. They reported their findings to each one:

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Firebase (Google)OpenSearch Security (AWS)Clair (Red Hat)Active Directory System (Adsys) (Canonical)JSON Schemas (Microsoft)TypeScript Repos Automation, TypeScript Bot Test Triggerer, Azure Draft (Microsoft)CycloneDX SBOM (OWASP)StockfishLibeventGuardian for Apache Kafka (Aiven-Open)Git Annex (Datalad)PenroseDeckhouseConcrete-ML (Zama AI)

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Google TV will require more RAM for future upgrades – which might leave older TVs and streaming boxes behind