GitHub Actions has become a prime target in supply chain attacks, with examples including s1ngularity against Nx, hackerbot-claw, and TeamPCP’s compromises of Trivy, KICS, and LiteLLM. The article explains that many organizations still have vulnerable workflows and unpinned actions, while GitHub is rolling out new controls such as deterministic dependencies, scoped secrets, and endpoint monitoring. #Nx #Trivy #KICS #LiteLLM #TeamPCP #StepSecurity #Datadog
Keypoints
- GitHub Actions workflows are a major supply chain attack surface because they can execute code, manage secrets, and control deployments.
- The s1ngularity attack on Nx abused the pull_request_target trigger to run arbitrary code through a “pwn request.”
- hackerbot-claw exploited untrusted input in GitHub Actions workflows and achieved remote code execution in more than half of targeted repositories.
- TeamPCP used compromised credentials to publish malicious versions of Trivy and KICS, plus compromised LiteLLM releases on PyPI.
- 38% of organizations have a GitHub Actions workflow vulnerable to script injection or dangerous trigger issues, and two out of three have at least one workflow or action vulnerability.
- Most organizations do not pin actions to a commit SHA, leaving them exposed to retagged or malicious releases.
- GitHub’s roadmap includes deterministic dependencies, central workflow policies, scoped secrets, and endpoint monitoring/control features such as Actions Data Stream and a native egress firewall.
MITRE Techniques
- [T1059 ] Command and Scripting Interpreter – Used when workflow input is passed into shell commands, enabling arbitrary command execution (‘if that data is passed directly into a shell command, you’ve effectively given an attacker a way to inject and execute arbitrary code’).
- [T1204 ] User Execution – Referenced through malicious pull requests and user-controlled metadata that trigger unsafe workflow behavior (‘workflow to run only when a specific label is applied’, ‘untrusted PR metadata’).
- [T1195 ] Supply Chain Compromise – Malicious versions of Trivy, KICS, and LiteLLM were published by abusing compromised credentials (‘publish a malicious release’, ‘part of a broader supply chain campaign’).
- [T1552 ] Unsecured Credentials – Compromised credentials were used to publish malicious releases and force version tags to attacker-controlled code (‘they used compromised credentials to publish a malicious release’).
- [T1611 ] Escape to Host – Not directly host escape, but the text describes code execution within runners that can lead to broader compromise; used in the context of workflow RCE (‘achieving remote code execution’).
- [T1068 ] Exploitation for Privilege Escalation – The pull_request_target trigger was abused to gain elevated execution context beyond normal pull request permissions (‘exploit it to escalate their privileges’, ‘upgraded privilege’).
Indicators of Compromise
- [Repository/Project Names ] Affected targets and compromised packages – Nx, Trivy, KICS, LiteLLM, Datadog open source repository.
- [GitHub Workflow Trigger / Reference Names ] Vulnerable or abused workflow references – pull_request_target, @v1, @v2.
- [File/Artifact Names ] Workflow and action examples referenced in the article – .github/actions/my-js-action, workflow YAML files.
- [Cloud/Service Endpoints ] Telemetry destinations for new GitHub controls – Amazon S3, Azure Event Hub, Azure Data Explorer.
Read more: https://securitylabs.datadoghq.com/articles/case-for-github-actions-security/