Christoffer S.<p>StepSecurity has posted another entry on this topic:</p><p><a href="https://www.stepsecurity.io/blog/reviewdog-github-actions-are-compromised" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">stepsecurity.io/blog/reviewdog</span><span class="invisible">-github-actions-are-compromised</span></a></p><p>The security incident involves a malicious payload in reviewdog GitHub Actions that targets the Runner.Worker process to extract secrets. The exploit uses a Python script that reads the process memory of the GitHub Actions runner to access stored secrets. The malicious code was found in commit SHA f0d342d24037bb11d26b9bd8496e0808ba32e9ec of reviewdog/action-setup. The script works by identifying the Runner.Worker process, mapping its memory regions, and reading the contents, which are then printed to stdout, effectively exposing secrets in build logs. This technique is similar to the previously reported tj-actions/changed-files incident.</p><p><a href="https://swecyb.com/tags/StepSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>StepSecurity</span></a> <a href="https://swecyb.com/tags/Github" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Github</span></a> <a href="https://swecyb.com/tags/SupplyChain" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SupplyChain</span></a> <a href="https://swecyb.com/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a></p>