gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-06-12 11:01:38 -07:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Mini Shai-Hulud: FAQ on the TeamPCP npm and PyPI supply-chai...

Browse Source
This commit is contained in:
HackTricks News Bot
2026-05-21 19:57:44 +00:00
parent 8cb43f6b52
commit 1484d713ec
1 changed files with 30 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/pentesting-ci-cd/github-security/abusing-github-actions/README.md
+30
View File
@@ -516,6 +516,32 @@ GitHub exposes a cross-workflow cache that is keyed only by the string you suppl
gh-actions-cache-poisoning.md
{{#endref}}
### OIDC trusted publishing compromise & provenance limits
Cache poisoning and `pull_request_target` abuse become much more impactful when the **release workflow publishes through OIDC trusted publishing** instead of a static registry token:
1. A low-trust workflow (`pull_request_target`, `issue_comment`, bot command, etc.) writes a **malicious binary/script** into a cache key later restored by the privileged release workflow.
2. The release job restores and executes that binary while holding **`id-token: write`** or an already-minted registry session.
3. The attacker steals the short-lived identity material, usually by either:
- directly requesting a GitHub OIDC token from `ACTIONS_ID_TOKEN_REQUEST_URL` with `ACTIONS_ID_TOKEN_REQUEST_TOKEN`, or
- dumping the runner worker process memory / tool-specific token cache after the publish helper requested the token.
4. The stolen OIDC token is exchanged with the registry trusted-publishing / federation endpoint for **real publish credentials**, so the malicious package is published by the victim's own CI/CD pipeline.
This is important because **npm provenance and Sigstore attestations only prove that the package was produced by the expected build workflow**. They do **not** prove that the workflow was free from attacker-controlled code. If the attacker compromises the trusted builder itself, the backdoored package can still receive valid provenance.
Practical implications during an assessment:
- Look for release jobs with **`permissions: id-token: write`** plus `npm publish`, `pnpm publish`, `changesets`, or custom publish wrappers.
- Treat `ACTIONS_ID_TOKEN_REQUEST_URL`, `ACTIONS_ID_TOKEN_REQUEST_TOKEN`, runner memory, and CLI token caches as **equivalent credential sources** once code execution is obtained in the release context.
- Do not assume `npm audit signatures` / provenance verification will detect a package built by a **compromised but legitimate** workflow.
**Mitigations**
- Keep untrusted workflows and release workflows on **separate cache namespaces** and never restore executable tooling from a cache written by PR-triggerable jobs.
- Minimize `id-token: write` to the exact publish step/job and avoid exposing OIDC-capable helpers earlier in the workflow.
- Rebuild/rehash restored binaries or download them from a verified source before execution; do not execute toolchains directly from cache paths.
- Treat provenance as an **origin signal**, not a standalone safety signal; combine it with workflow hardening, dependency diffing, and runtime validation.
### Artifact Poisoning
Workflows could use **artifacts from other workflows and even repos**, if an attacker manages to **compromise** the Github Action that **uploads an artifact** that is later used by another workflow he could **compromise the other workflows**:
@@ -910,5 +936,9 @@ An organization in GitHub is very proactive in reporting accounts to GitHub. All
- [OpenGrep playground releases](https://github.com/opengrep/opengrep-playground/releases)
- [A Survey of 20242025 Open-Source Supply-Chain Compromises and Their Root Causes](https://words.filippo.io/compromise-survey/)
- [Weaponizing the Protectors: TeamPCPs Multi-Stage Supply Chain Attack on Security Infrastructure](https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/)
- [Mini Shai-Hulud: Frequently asked questions about the TeamPCP npm and PyPI supply chain campaign](https://www.tenable.com/blog/mini-shai-hulud-frequently-asked-questions)
- [Events that trigger workflows - GitHub Docs](https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows)
- [Trusted publishing for npm packages | npm Docs](https://docs.npmjs.com/trusted-publishers/)
- [Generating provenance statements | npm Docs](https://docs.npmjs.com/generating-provenance-statements/)
{{#include ../../../banners/hacktricks-training.md}}