Subj : Many top-level open source projects found leaking GitHub auth tok To : All From : TechnologyDaily Date : Thu Aug 15 2024 16:45:05 Many top-level open source projects found leaking GitHub auth tokens Date: Thu, 15 Aug 2024 15:30:00 +0000 Description: Google, AWS, Red Hat, and others, have had vulnerable projects sitting on GitHub, leaking auth tokens. FULL STORY ====================================================================== Many top-level open source projects have been found leaking GitHub auth tokens, putting entire projects at risk of data theft and malicious code tampering. Cybersecurity researchers from Unit 42 discovered the mishap and reported it to both GitHub and corresponding project owners - however GitHub said it wouldnt be addressing the issue, and that the security of auth tokens lies solely with project owners. Unit 42 said it found open source projects from the likes of Google, Microsoft, and AWS, leaking GitHub authentication tokens through GitHub Actions artifacts in CI/CD workflows. Should a malicious actor find these tokens, they could use them to access private repositories, steal source code, or even tamper with it, turning legitimate projects into malware . Multiple payloads That being said, Unit 42 says issues such as risky default settings, user misconfiguration, and insufficient security checks, are at the heart of the problem. One issue resides in the actions/checkout action which, by default, keeps the GitHub token in the local .git directory (hidden), since its required for authenticated operations. But if a developer uploads the complete checkout directory for any reason, they will inadvertently expose the GitHub token inside the .git folder. More details about the different risk factors Unit 42 discovered can be found on this link . In total, the researchers found 14 open source projects, belonging to major organizations, whose GitHub tokens are being exposed. They reported their findings to each one: Firebase (Google) OpenSearch Security (AWS) Clair (Red Hat) Active Directory System (Adsys) (Canonical) JSON Schemas (Microsoft) TypeScript Repos Automation, TypeScript Bot Test Triggerer, Azure Draft (Microsoft) CycloneDX SBOM (OWASP) Stockfish Libevent Guardian for Apache Kafka (Aiven-Open) Git Annex (Datalad) Penrose Deckhouse Concrete-ML (Zama AI) Via BleepingComputer More from TechRadar Pro GitHub malware spreads by hackers spoofing Microsoft files Here's a list of the best malware removal tools around today These are the best endpoint security tools right now ====================================================================== Link to news story: https://www.techradar.com/pro/security/many-top-level-open-source-projects-fou nd-leaking-github-auth-tokens --- Mystic BBS v1.12 A47 (Linux/64) * Origin: tqwNet Technology News (1337:1/100) .