Cybersecurity experts at Legit Security have discovered that a criminal can make changes to open-source repositories on GitHub. This could lead to mass infections with malicious code in the latest versions of software.
According to the expert, this vulnerability could affect projects that use GitHub Actions by triggering compilation at the moment the software dependency is detected. Legit Security conducted a test attack on a project that was written in Rust, which resulted in the project being recompiled with a malicious copy of the GCC library.
The vulnerability uses an automated compilation process through the GitHub Actions environment. The pattern with the critical vulnerability allowed a hacker to execute code with root permissions in the development container environment, modifying the initial program code. In simple terms, a fork can be created in GitHub, which is then injected into the development environment.
An attacker can make changes to branches of the repository, using full access to the project repository. Since the Rust language did not restrict access rights to certain areas, the hacker gets almost full access to the project.
Legit Security states that vulnerability affects a huge number of projects, so cyber specialists should test their code for changes. The GitHub administration has confirmed the problem, and Legit specialists who found the bug have already been rewarded.