An analysis of build artifacts generated by GitHub Actions workflows inside open-source repositories belonging to major companies revealed sensitive access tokens to third-party cloud services, as well as GitHub itself. In addition, a change made this year in the GitHub artifacts feature has introduced a race condition that attackers can exploit to abuse previously unusable GitHub tokens.

The investigation, performed by Yaron Avital, a researcher with Palo Alto Networks, found secrets in artifacts stored in dozens of public repositories, some corresponding to projects maintained by Google, Microsoft, Amazon AWS, Canonical, Red Hat, OWASP, and other major organizations. The tokens provided access to various cloud services and infrastructure, music streaming services, and more.

“This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access,” Avital wrote in his report. “In most of the vulnerable projects we discovered during this research, the most common leakage is of GitHub tokens, allowing an attacker to act against the triggering GitHub repository. This potentially leads to the push of malicious code that can flow to production through the CI/CD pipeline, or to access secrets stored in the GitHub repository and organization.”