Learn extra at:
Widening affect evaluation
The tj-actions builders had beforehand reported they may not decide precisely how attackers gained entry to their GitHub private entry token. This new discovering from Wiz offers the lacking hyperlink, suggesting that the preliminary reviewdog compromise was the primary domino on this cascading assault chain.
Past the confirmed compromise of reviewdog/action-setup@v1, the investigation has revealed a number of different doubtlessly impacted actions from the identical developer. These embody reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos. The complete extent of the compromise throughout these instruments stays below investigation.
Whereas GitHub and reviewdog maintainers have carried out fixes, Wiz warns that if any compromised actions stay in use, a repeat assault concentrating on “tj-actions/changed-files” may nonetheless happen — particularly if uncovered secrets and techniques will not be rotated.
