Merge Requests and Insecure GitHub Workflows may lead to Supply-Chain Attacks


Thread author
Staff Member
Malware Hunter
Jul 27, 2015
Security researchers at Legit Security identified vulnerabilities in the GitHub automated workflows used by Google Firebase and Apache Camel that could have been abused to compromise those open-source projects through their GitHub CI/CD pipeline and insert malicious code.

The Israel-based security shop called the exploitation technique "GitHub Environment Injection." It's a way to exploit the platform's automated integration and build process by injecting a malicious payload into a GitHub environment variable called GITHUB_ENV. Legit Security claims a rogue or compromised developer could have used this technique to alter the source code for Firebase or Apache Camel and, among other things, conducted a supply-chain attack on users of that code. Malicious code that made it into the project may have ended up being deployed by organizations.
"Any GitHub user could exploit this flaw by forking the original repository, creating the malicious payload and then merging it back to the original repository," explained Liav Caspi, CTO of Legit, in an email to The Register. "That’s all that is required to trigger the flaw and take over a vulnerable pipeline." Caspi said this is the standard workflow for a contributor to an open-source project. "What is especially dangerous with this vulnerability is that it is triggered before the maintainer gets the chance to review the change, and [the maintainer] does not need to accept it for the vulnerability to take place," said Caspi.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.