Get the latest tech news
GitHub Actions Typosquatting: a High-Impact Supply Chain Attack-in-Waiting?
GitHub Actions let developers "automate software builds and tests," writes CSO Online, "by setting up workflows that trigger when specific events are detected, such as when new code is committed to the repository." They also "can be reused and shared with others on the GitHub Marketplace, which cu...
GitHub Actions let developers "automate software builds and tests," writes CSO Online, "by setting up workflows that trigger when specific events are detected, such as when new code is committed to the repository. Researchers from Orca Security recently investigated the impact typosquatting can have in the GitHub Actions ecosystem by registering 14 GitHub organizations with names that are misspellings of popular Actions owners — for example, circelci instead of circleci, actons instead of actions, google-github-actons instead of google-github-actions... One might think that developers making typos is not very common, but given the scale of GitHub — over 100 million developers with over 420 million repositories — even a statistically rare occurrence can mean thousands of potential victims. Out of the 14 typosquatted organizations that Orca set up for their proof-of-concept, GitHub only suspended one over a three-month period — circelci — and that's likely because someone reported it.
Or read this on Slashdot