SoylentNews

canopic jug [soylentnews.org] writes:

Software engineer and security researcher, Adnan Khan, has found and published a supply chain attack carried out via Microsoft GitHub's runner images [adnanthekhan.com]. The project used in the proof of concept is PyTorch.

From a period of time between February 2023 and July 25th, 2023, one such repository was GitHub’s own actions/runner-images repository. You might be able to guess where this story this is going. This is the story of how I discovered and exploited a Critical misconfiguration vulnerability and reported it to GitHub. The vulnerability provided access to internal GitHub infrastructure as well as secrets. There was also a very high likelihood that this access could be used to insert malicious code into all of GitHub’s runner base images – allowing an attacker to conduct a supply chain attack against every GitHub customer that used hosted runners.

More than a few sites are wrongly spinning this as a weakness with Python, PyTorch, or even with FOSS in general. However, the problem is not with FOSS, Python, or PyTorch but instead with a reliance on Microsoft's infrastructure for development [johnstawinski.com]. Fortunately there are mitigations [sethmlarson.dev]. GitHub is software as a service, and not related to FOSS or Git itself though it does exploit both. It currently serves as a showcase for Microsoft Copilot [aibusiness.com].

Original Submission