Widening affect evaluation
The tj-actions builders had beforehand reported they might not decide precisely how attackers gained entry to their GitHub private entry token. This new discovering from Wiz offers the lacking hyperlink, suggesting that the preliminary reviewdog compromise was the primary domino on this cascading assault chain.
Past the confirmed compromise of reviewdog/action-setup@v1, the investigation has revealed a number of different probably impacted actions from the identical developer. These embody reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos. The complete extent of the compromise throughout these instruments stays beneath investigation.
Whereas GitHub and reviewdog maintainers have carried out fixes, Wiz warns that if any compromised actions stay in use, a repeat assault focusing on “tj-actions/changed-files” may nonetheless happen — particularly if uncovered secrets and techniques should not rotated.
