Threat actors have long leveraged typosquatting as a means to trick unsuspecting users into visiting malicious websites or downloading booby-trapped software and packages.
These attacks typically involve registering domains or packages with names slightly altered from their legitimate counterparts (e.g., goog1e.com vs. google.com).
Adversaries targeting open-source repositories across platforms have relied on developers making typing errors to initiate software supply chain attacks through PyPI, npm, Maven Central, NuGet, RubyGems, and Crate.
The latest findings from cloud security firm Orca show that even GitHub Actions, a continuous integration and continuous delivery (CI/CD) platform, is not immune from the threat.
“If developers make a typo in their GitHub Action that matches a typosquatter’s action, applications could be made to run malicious code without the developer even realizing,” security researcher Ofir Yakobi said in a report shared with The Hacker News.
The attack is possible because anyone can publish a GitHub Action by creating a GitHub account with a temporary email account. Given that actions run within the context of a user’s repository, a malicious action could be exploited to tamper with the source code, steal secrets, and use it to deliver malware.
All that the technique involves is for the attacker to create organizations and repositories with names that closely resemble popular or widely-used GitHub Actions.
If a user makes inadvertent spelling errors when setting up a GitHub action for their project and that misspelled version has already been created by the adversary, then the user’s workflow will run the malicious action as opposed to the intended one.
“Imagine an action that exfiltrates sensitive information or modifies code to introduce subtle bugs or backdoors, potentially affecting all future builds and deployments,” Yakobi said.
“In fact, a compromised action can even leverage your GitHub credentials to push malicious changes to other repositories within your organization, amplifying the damage across multiple projects.”
Orca said that a search on GitHub revealed as many as 198 files that invoke “action/checkout” or “actons/checkout” instead of “actions/checkout” (note the missing “s” and “i”), putting all those projects at risk.
This form of typosquatting is appealing to threat actors because it’s a low-cost, high-impact attack that could result in powerful software supply chain compromises, affecting several downstream customers all at once.
Users are advised to double-check actions and their names to ensure they are referencing the correct GitHub organization, stick to actions from trusted sources, and periodically scan their CI/CD workflows for typosquatting issues.
“This experiment highlights how easy it is for attackers to exploit typosquatting in GitHub Actions and the importance of vigilance and best practices in preventing such attacks,” Yakobi said.
“The actual problem is even more concerning because here we are only highlighting what happens in public repositories. The impact on private repositories, where the same typos could be leading to serious security breaches, remains unknown.”
