Supply Chain Dependency: What Your GitHub Connections May Trigger

The writing is on the walls, and it’s hard to avoid after the significant spike in attacks against GitHub repositories. The recent CircleCI breach, in which customers’ secrets and encryption keys were stolen, make it very clear that attackers already understand and leverage this vector. Now more than ever, is the time for companies to secure these non-human connections, i.e., API keys and access tokens, just as diligently as username and password credentials are protected. Otherwise? It could be a quick path towards a dwindling secure supply chain.

Insecure Connections

The CircleCI breach is just the most recent in a chain of attacks where hackers take advantage of these insecure connections to breach companies’ GitHub environments. For instance, just last month Slack’s private GitHub code repositories were breached; and then last April 2022, attackers used stolen OAuth app tokens issued to Heroku and Travis CI to breach dozens of GitHub customer accounts with authorized Heroku or Travis CI OAuth app integrations. Probably the most infamous attack was the Codecov breach in 2021, in which attackers compromised the Codecov cloud service and stole OAuth tokens that provided them with direct access to the GitHub repositories of 17,000 CodeCov customers. In all of these cases, the threat actors were able to escalate privileges in order to access data, using API keys and personal access tokens generated by employees to connect their organization’s GitHub environment to third-party apps as well as internal apps and workflows.

GitHub Connections

As companies continue to adapt to a vastly remote workforce, they are increasingly authorizing their teams the freedom to connect apps to apps. Take GitHub, for example; the largest repository for developers that currently allows 94 million users to build products and connections across more than 330 million repositories. It is the largest open source community and provides endless possibilities for developers. However, what is often overlooked is that the majority of these connections are unstructured, proposing an imminent threat.

These GitHub connections are not just third party apps, they are internal apps with multiple endpoints created by the engineer – for instance, a developer wants to test a new solution so he generates a token, or provides an existing token to an additional service. These tokens usually have forever access, with a high level of permissions. In most cases, they are “set and forget” tokens that are used one time for a test and then left open and connected to the GitHub repository. Examples like this are more common than not. For context, anywhere from 20-30 new personal access tokens can be generated in GitHub organizations every week.

Connections like these, or shadow integrations, are created using API keys, OAuth tokens and more, which are often how attackers make their way inside. When developers authorize new applications via a service account or Secure Socket Shell (SSH) key for example, they are rarely approved and do not provide a secure connection to GitHub. This lack of oversight can also lead to permissions granted to past users or employees that have since left the company, potentially giving unauthorized access to anyone who finds that connection. For instance, the Slack breach from New Year’s 2023 showcased how threat actors accessed Slack’s externally hosted GitHub repositories via a limited number of stolen Slack employee tokens.

Attack Surface Expanded

So while business may see a boost in productivity, so do threat actors. With these open-ended GitHub connections, your attack surface has severely expanded and can expose the business to an array of options: Supply chain attacks, compliance violations and, most commonly seen, nonpermitted access.

There is so much discussion around supply chain risks and the vulnerabilities themselves, but the root of the issue is across the whole engineering environment. Businesses should start focusing on securing the entire ecosystem, which is now composed of thousands of third-party integrations. But how exactly can organizations avoid exposing too much of the business, while still maintaining the level of integration and efficiency required to get the job done?

Continuous Monitoring

Ongoing and holistic visibility and protection. Businesses should protect their API keys, OAuth tokens and any other third party connections, as strenuously as they protect their passwords. Login credentials like a username and password are protected by multi-factor authentication (MFA). However, API keys, for example, are not secured by anything. For GitHub users specifically, replace personal access tokens (PATs) with new fine-grained PATs and limit them to a specific repository. In efforts to reduce the attack surface and minimize the attack blast radius, continuous monitoring of these connections is, and should be made, a priority.

Time is of the essence. The attacks described above show just how quickly and easily these GitHub and unstructured connections can lead to a whole new world of supply chain dependencies. In an effort to address this imminent threat, by properly governing these connections, then perhaps we can slow the occurrence of these attacks.