Hacker News new | past | comments | ask | show | jobs | submit login

So this dumps env to stdout using some obfustucated code? And then relies on the fact logs are viewable publicly so the attacker can go scrape your secrets.

If so, why did they use obfustucated code? Seems innocuous enough to load env into environment vars, and then later to dump all env vars as part of some debug routine. Eg. 'MYSQL env var not set, mysql integration will be unavailable. Current environment vars: ${dumpenv}'




Presumably the cracker:

1. spoofed an account whose PRs were auto-merged (renovate[bot]) 2. found that `index.js` was marked as binary, and knew that GitHub is "helpful" (for the exploit), and hides diffs in the PR for that file by default 3. shoved the chunk of base64 wayyyy down the commit, so the maintainer had review fatigue by the time they scrolled. Having "memdump.py" in the commit in plaintext would certainly highlight the exploit more than the b64 string.


Sounds about right to me. We can use a few knowns about GitHub IAM to deduce a few things:

1. There are no deleted PRs or Issues on the repo (2461..2463 are all valid refs)

2. A legitimate `Renovate[Bot]` dep bump would have filed a PR. Last such PR was 5 days ago, and is presumably not the source for this. (I haven't gone through every dep change, but doesn't look like it).

3. That leaves us with the 0e58ed867 commit, which has to be a spoofed commit, since it doesn't belong to a branch and we don't have a corresponding PR(1). A complete takeover of the repo can result in a hanging commit (by deleting the renovate bump branch), but there must be a hanging PR-ref around. Since there isn't one:

4. All of the above points to a compromised account that has write access to the repo.

There is also the https://github.com/tj-actions-bot account, but unclear if it has write access.

Edit: gurchik's guess at https://github.com/tj-actions/changed-files/issues/2463#issu... seems more likely:

> 1. Fork the repository > > 2. Push compromised code to the fork > > 3. Update the tags in the parent repository to point to the SHA of the fork


> Update the tags in the parent repository to point to the SHA of the fork

I don't think that's possible.

Forks are a GitHub UI construct.

There would be two .git dirs so for all intents and purposes they're two repos that don't know about each other.

Locally you can't refer to a commit that's in a different dir...


You just set two remotes locally, create a tag and push just the tag to upstream. You can definitely do it locally, and I think GitHub doesn’t prevent such pushes either.


Yes, but:

a) you'd need write permissions for the original remote

b) even if you did, that'd push the commit to the original repo with the tags


Renovate can be configured to update dependencies without raising a pull request.


No idea. But they didn't do a great job -- they broke the action, which caused build failures that people were going to notice.

The malicious commit only landed at 09:57 PDT today (March 14) in one specific action (out of a number that is quite popular). Maybe they were planning on coming back and doing proper exfil?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: