https://orca.security/resources/blog/typosquatting-in-github-actions/
A new report from cloud security firm Orca warns developers about a concerning security risk – typosquatting in GitHub Actions. This technique leverages developers’ typos to trick them into running malicious code within their projects.
Typosquatting involves creating names that closely resemble legitimate ones, hoping users will make a typo and visit a malicious site. In this case, attackers create fake GitHub Actions with names similar to popular ones. If a developer accidentally misspells an action name, their workflow will unknowingly run the malicious code instead of the intended action.
This vulnerability is particularly concerning because malicious actions could steal sensitive information, tamper with code, or introduce backdoors. These compromised actions could even exploit a developer’s credentials to push malicious changes to other repositories within their organization.
Researchers found nearly 200 public GitHub repositories that likely fell victim to typosquatting by referencing misspelled versions of popular actions. This highlights the potential impact of typosquatting attacks, especially considering numerous downstream customers could be affected by a single compromised project.
Protecting Yourself from Typosquatting Attacks:
- Double-check action names: Ensure you’re referencing the correct GitHub organization and action name before integrating them into your workflow.
- Stick to trusted sources: Use established and trusted sources for your GitHub Actions.
- Scan for typosquatting issues: Regularly scan your CI/CD workflows to identify potential typosquatting vulnerabilities.
“This research emphasizes the ease with which attackers can exploit typosquatting and the importance of developer vigilance,” said Orca security researcher Ofir Yakobi. “The potential impact on private repositories is especially concerning, as security breaches might go undetected.”
By following these best practices and remaining vigilant, developers can protect themselves from the dangers of typosquatting in GitHub Actions.