While the campaign was catalyzed by the recently open-sourced Shai Hulud framework (thanks teampcp...), the access itself came from compromised credentials from accounts that should have been revoked.
By cross-referencing the usernames pushing the malware against Hudson Rock's database, we discovered that over 33% were exact matches to computers infected by infostealers. Upon deeper manual investigation, we realized that number is actually closer to 100%. (h/t OX Security & SafeDep)
Attackers are logging into these active accounts, exploiting GitHub Actions, and injecting payloads to drain AWS keys, GCP OAuth tokens, and SSH keys straight from CI/CD workflows.
1 comment
[ 0.43 ms ] story [ 18.9 ms ] threadBy cross-referencing the usernames pushing the malware against Hudson Rock's database, we discovered that over 33% were exact matches to computers infected by infostealers. Upon deeper manual investigation, we realized that number is actually closer to 100%. (h/t OX Security & SafeDep)
Attackers are logging into these active accounts, exploiting GitHub Actions, and injecting payloads to drain AWS keys, GCP OAuth tokens, and SSH keys straight from CI/CD workflows.