.png)
GitHub CISO Alexis Wales has named the malicious VS Code extension behind the breach they suffered at the hands of the threat group TeamPCP: Nx Console, a popular developer tool with 2.2 million installs.
A malicious version of the otherwise benign extension was used to steal secrets and developer credentials, which were then used to move through CI/CD pipelines and exfiltrate around 3,800 of GitHub’s private code repositories.
One missed token, many victims
The company confirmed the compromise on Wednesday, and promised to publish a fuller report once their investigation is complete.
Soon after, Wales publicly identified the poisoned VS Code extension that a GitHub employee installed and thus enabled the attackers to gain access to the repositories.
Nx Console maintainers have been sharing information surfaced by their own investigation into how a malicious version of the extension was published on both the Microsoft-owned Visual Studio Marketplace and the vendor-neutral registry Open VSX.
“One of our developers was compromised by a recent supply-chain compromise on TanStack, which leaked their GitHub credentials through the GitHub CLI (gh). This allowed the attacker to run workflows on our GitHub repository as a contributor,” they explained.
“According to Microsoft and OpenVSX, download numbers for the impacted 18.95.0 version were a low 28 and 41 respectively. However, according to our own internal analytics, we believe the impact to be two orders of magnitude higher, with thousands of affected users.”
One of the affected users turned out to be the GitHub employee. The compromised extension fetched an obfuscated payload, which was able to harvest victims’ credentials.
Among those were login tokens for the HashiCorp Vault secrets manager; credentials used authenticate via Kubernetes or AWS identity systems; authentication tokens used to publish packages to npm registries; GitHub personal access tokens, OAuth tokens, and app tokens; credentials stored in the victim’s 1Password vault; and Google Cloud Platform and Docker credentials.
“Harvested data was exfiltrated via HTTPS, the GitHub API, and DNS. On Linux it also attempted sudoers injection for persistence,” the Nx Console maintainers noted, and provided remediation advice, which includes rotating “every credential reachable from the machine.”
Grafana Labs, which similarly got its GitHub environment compromised and codebase stolen, also traced the compromise back to the TanStack npm supply chain attack.
“The incident originated from a TanStack npm supply chain attack via the Mini Shai-Hulud campaign. We detected the malicious activity on May 11 and immediately initiated our incident response plan,” shared Joe McManus, the Grafana Labs chief information security officer.
“We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories. A subsequent review confirmed that a specific GitHub workflow we originally deemed not impacted had, in fact, been compromised.”
The company has been contacted by the attackers, who demanded payment not to release or sell the stolen codebase, but Grafana Labs decided not to pay the ransom.
TeamPCP automated its way through the open source ecosystem
The TanStack supply chain compromise affected 42 of its npm packages. Malicious versions were made to include a credential-stealing JavaScript payload.
That compromise, like many others in the last weeks, was carried out via Mini Shai-Hulud, a self-replicating supply chain “worm” created and operated by TeamPCP.
The “worm” allows them to automate supply chain attacks by stealing CI/CD credentials and leveraging them to publish infected versions of more and more packages.
TeamPCP, a cybercrime group that specializes in supply chain attacks targeting open-source utilities and AI middleware, has claimed the GitHub hack and is likely behind Grafana’s, as well.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
from Help Net Security https://ift.tt/S76k4Go
0 comments:
Post a Comment