All articles tagged with #github actions
Attackers exploited a GitHub Actions workflow to gain access to signing keys and credentials, publishing a malicious element-data 0.23.3 package that scanned environments for sensitive data; the package was removed within ~12 hours, credentials rotated, and users are urged to upgrade to 0.23.4, purge caches, and rotate any exposed secrets.
Bitwarden CLI version 2026.4.0 was compromised via a malicious bw1.js distributed through npm during the Checkmarx supply chain campaign, with attackers exploiting a compromised GitHub Action in Bitwarden's CI/CD to steal tokens, secrets and credentials and exfiltrate them to audit.checkmarx.cx (and a fallback GitHub repository). The malware can inject malicious workflows to harvest secrets across downstream pipelines; Bitwarden says no end-user vault data was accessed and the issue was contained with the release deprecated. The incident is linked to TeamPCP and related to the Shai-Hulud activity; a CVE will be issued for this release.
Security researchers warn of a Checkmarx supply-chain breach: attackers overwrote tags in the official checkmarx/kics Docker Hub (notably v2.1.20, alpine; adding v2.1.21) with a compromised KICS binary that exfiltrates data and can encrypt and send scan reports to an external endpoint; separately, Checkmarx VS Code extensions (cx-dev-assist and ast-results, versions 1.17.0/1.19.0) load a remote mcpAddon.js via a hard-coded GitHub URL, enabling credential theft and propagation as attackers injected a backdated commit to introduce a large payload; the attack uses stolen tokens to create public repos, GitHub Actions workflows, and to exfiltrate GitHub, AWS/Azure/GCP credentials, npm configs, SSH keys, and environment variables to public repos and to an endpoint controlled by the attackers; the operation also spreads through the npm ecosystem by republishing ~250 compromised packages; 51 repos reference Checkmarx Configuration Storage in READMEs; TeamPCP is suspected; mitigation includes removing affected artifacts, rotating credentials, auditing GitHub workflows, reviewing npm packages, and monitoring access logs.
The Trivy vulnerability scanner was compromised in a supply-chain attack by threat actors TeamPCP, who backdoored the Trivy GitHub build process and trojanized releases and related GitHub Actions (notably v0.69.4). This allowed an infostealer to harvest credentials and other secrets from GitHub Actions runners, CI configs, and local developer environments, exfiltrating data to a typosquatted C2 server or via a public repo. Attackers gained write access to publish malicious releases and force-push most tags, making detection difficult; Aqua Security linked the breach to an earlier credential exfiltration and noted token rotation wasn't atomic. The incident is connected to a follow-up CanisterWorm npm campaign by the same actor. Remediation includes rotating all secrets, auditing for compromise, and investigating for persistence across environments.
Microsoft has patched a critical security vulnerability in Azure CLI that could have allowed attackers to steal credentials from GitHub Actions or Azure DevOps logs. The vulnerability, reported by a security researcher, could enable unauthenticated attackers to remotely access plain text contents written by Azure CLI to CI/CD logs. Microsoft advises customers to update to the latest Azure CLI version (2.54) and take steps to prevent accidental exposure of secrets in logs. The company has also implemented new security measures to restrict the presentation of secrets in output and broaden credential redaction capabilities.