GitHub Actions is an extremely powerful tool that a majority of developers find indispensable these days.

For those who don’t know, GitHub Actions (GHA) is a tool integrated in GitHub that allows you to execute workflows right from your GitHub repositories.

These workflows can be configured from scratch using a .yml configuration file or downloaded from the extensive GitHub Marketplace for a variety of use cases. From Continuous Integration & Continuous Deployment (CI/CD) Pipelines, to code quality, to security, to testing - the power of Actions are really up to you.

In simplest terms, GitHub Actions is an automation tool for developers meant to streamline processes and make their workflow more efficient.

And how popular is this tool exactly?

Well, as of 2023, GitHub reported that it has over 100 million users and 372 million repositories. 28 million of those repositories are public, and each month, over 263 million Actions are triggered.

That’s an insane amount of volume.

So, what’s the problem?

Typosquatting in GitHub Actions

Typosquatting is when a malicious actor will create digital resources that are intentionally similar to legitimate ones, leveraging common typos or misspellings to trick users.

One of the first iterations we saw of this attack was in typosquatting domains. For example, a user attempting to visit example.com might accidentally type one of the following: examp1e.com, examplle.com, or exanple.com. Instead of visiting the intended site, they’ll instead visit a 1-for-1 recreation with the intention of tricking you into entering PII or worse, your credentials for the legitimate site.

We’ve also seen this in software development with malicious packages, again with names resembling trusted libraries looking to trick developers into installing and using them.

But now, we’re seeing this attack evolve to GitHub Actions.

Malicious actors are creating organizations and repositories with names similar to the most popular Actions that you know and trust, ones you may even use in your own Repositories!

Let’s take the popular action, actions/upload-artifact. I’m sure we can both think of different ways to spoof this action’s name: uploads-artifact, upload-artifacts, uploads-artifacts… And what about the org, actions. A new one could be registered as action, actiom, or actioms.

Malicious actors are spinning webs all over the GitHub and just waiting for their prey.

Why is this Dangerous?

GitHub Actions are more than just a way to orchestrate, automate, and deploy your code. These processes run in the context of your repository and can even access sensitive artifacts like secrets and configuration details.

A malicious Action could run harmful commands on your system without you knowing, send sensitive data to the threat actors in the middle of your workflow, introduce vulnerabilities into your code… the same flexibility that’s provided to you as a developer is also provided to these threat actors.

A theorized attack an actor could perform is a vulnerability where, similar to session riding, the Action could leverage your credentials and even push changes to your repository - something I’m calling Action Hijacking.

Why do we Need to Know This?

From one look at the GitHub Marketplace, you’ll realize there’s too many workflows to even count.

And it begs the question: are developers even aware of the dangers that lie in front of them?

In my experience - No… but it’s not their fault!

In the organizations I’ve worked in, I’ve come to realize that security is not necessarily front-of-mind for developers. In the day and age of agile programming, developers are often pressured to ship fast and deliver a functional product as soon as possible. Revenue is the name of the game.

Even in organizations where cybersecurity teams interface directly with engineering teams to provide code reviews and guidance on best-practices, is using the correct action even a thought? Is checking the spelling of imported actions on your checklist, or if it runs its just assumed it’s correct?

The answer to that truly depends on if the security team is even aware of typosquatting in Actions.

And what about indie hackers?

The community is booming at the moment (and I love it, I’m not trying to take away from anything that they ship there) - but I can guarantee security is definitely not a forethought with the speed of shipping over there.

- Today’s Sponsor -

Prepare for a career in Cybersecurity, one sip at a time with The Security Sip. With rapidly evolving threats and technologies, many struggle to gain the right skills and experience to break into the cybersecurity industry. This course is designed to transform beginners into industry-ready professionals over 12 sections, 85 modules, and 155 exercises. Check it out!

Learn more

The Real Problem

Is determining if an Action is legitimate too difficult?

From a UI perspective - no, I don’t think so. GitHub has a “Verified” feature on their organizations, similar to what you’d see as a blue checkmark on Twitter/X (my one gripe being that it doesn’t show the verified badge on the individual repositories, but I digress).

But the real problem isn’t necessarily just double checking your spelling… are you double checking that the action is really doing what it’s saying it’s doing?

The problem also boils down to implicitly needing to trust whoever wrote and owns the Action you’re using, because some of these Actions can get really intensive.

Which really highlights - anyone can publish a GitHub Action - it’s as simple as spinning up a temporary email and creating an account. No reputation checks, sanitization, or minimum lifetime requirement.

But is it really plausible to expect this from GitHub? Does this cause too much friction for what it’s worth?

The Realistic Solution

While I think it is completely plausible to believe that some responsibility should be passed to GitHub themself - it’s entirely unrealistic to audit every single action deployed and every single account opened.

However, I do think it’s realistic to monitor for lookalikes of popular actions through fuzzing techniques with wordlists.

But, I think the real solution boils down to what many cybersecurity principles rely on - education.

The simplest solution is to reinforce that as a developer, it’s important to understand what you’re using and to always double check when you’re importing resources from another project.

Education is truly the frontline of cybersecurity, and it’s necessary to bring awareness to typosquatting in GitHub Actions. Hopefully this article can do that for you, and will be passed on to someone who needs to know.

Securely Yours,

The Cybersec Cafe

Just a heads up, The Cybersec Cafe's got a pretty cool weekly cadence.

Every week, expect to dive into the hacker’s mindset in our Methodology Walkthroughs or explore Deep Dive articles on various cybersecurity topics.

. . .

Oh, and if you want even more content and updates, hop over to Ryan G. Cox on Twitter/X or my Website. Can't wait to keep sharing and learning together!