2. Limit cache restore to specific directories or files. Monitor cache size and content
GitHub Actions can restore a cache from the previous job, including untrusted directories and files. Cache size and content are not monitored for changes.
The attacker poisoned the GitHub Actions cache, allowing the worm to persist across workflow executions and extract sensitive data.
3. Enforce lockfile content or hash verification during install. Treat npm packages as immutable
npm install does not validate the lockfile content or hash during installation. Packages are treated as mutable.
Attacker binaries posted signed malicious packages directly to the npm registry without passing npm’s integrity checks.
4. Monitor and restrict process memory access. Capture and alert unusual memory reads
Process memory access is not actively monitored or restricted by default. Unusual memory reads are not captured or alerted on.
The worm read runner process memory directly to extract sensitive data, bypassing traditional security controls.
5. Separate build and release workflows. Reject release artifacts that fail tests
Many CI/CD pipelines do not enforce a separation between build and release workflows. Release artifacts may be published even if tests fail.
The worm was able to publish signed packages to the npm registry despite failing tests, allowing malicious code to reach end users.
6. Implement automated dependency scanning and vulnerability management. Block known vulnerable packages
Dependency scanning and vulnerability management may not be fully automated or integrated with the CI/CD pipeline. Known vulnerable packages may still be included in projects.
The worm exploited known vulnerabilities in npm and PyPI packages to inject malicious code into the software supply chain.
The complete solution involves pinning and restricting the id-token to only the publish job, as well as ensuring that the job utilizes a clean, unshared cache.
Treat SLSA provenance as essential but not sufficient by adding behavioral analysis at installation time. Teams rely on a valid Sigstore provenance badge to confirm the safety of a package, with npm audit signatures passing and the badge appearing green. However, all 84 malicious TanStack versions had valid SLSA Build Level 3 provenance attestations, leading to the first widely reported npm worm with validly-attested packages. Behavioral analysis at install time is crucial in such cases.
Isolate the GitHub Actions cache per trust boundary, invalidate caches after suspicious PRs, and avoid checking out and executing fork code in pull_request_target workflows. It’s important to separate fork-triggered workflows and release workflows within different cache namespaces to prevent malicious activities. The incident of an attacker poisoning the pnpm store via a fork-triggered pull_request_target emphasizes the need for strict cache isolation and validation practices.
Audit optionalDependencies in lockfiles and dependency graphs, and block github: refs pointing to non-release commits. It’s essential to pay close attention to optionalDependencies, especially those with github: commit refs, as they may not be flagged by standard tools. An incident involving a worm injecting optionalDependencies pointing to a github: orphan commit in the attacker’s fork highlights the potential risks associated with such dependencies.
Audit Python dependency imports separately from npm controls, especially for AI/ML pipelines consuming specific packages. While npm mitigations are applied to JavaScript stacks, Python packages should be thoroughly checked for any potential vulnerabilities. For instance, the mistralai PyPI v2.4.6 package was found to execute code on import, exposing potential security risks.
Isolate and image affected machines before revoking stolen tokens to prevent further damage. Standard incident response protocols should be followed, with a focus on preserving the host machine before revoking compromised tokens. The incident of a worm triggering destructive behavior upon token revocation underscores the importance of careful handling of such situations.
In conclusion, it’s imperative to address the security gaps outlined in the action plan, conduct thorough audits, and implement strict security measures to defend against evolving threats like the Shai-Hulud worm. Collaboration, continuous monitoring, and proactive security measures are key to mitigating risks in today’s complex threat landscape.
Let’s Talk About Security
So, here’s the thing – that attack? It didn’t care about those controls. It saw right through them because the gap wasn’t in the signing. It was in the scope.
Provenance is important. It tells you where a package came from. But here’s the kicker – it doesn’t guarantee that the build was authorized. And that’s where this audit comes in. We’re here to close that gap and make sure everything is as secure as it should be.
