Large enterprises scramble after supply-chain attack spills their secrets
1 min read
Summary
An attack on an open-source software tool used on the GitHub coding platform has exposed the secrets of more than 23,000 organisations.
The compromised tool, which helps developers to manage changes to their code, was targeted earlier this month.
The attackers altered the tool’s code to siphon off passwords and other sensitive data stored in the memory of servers that run the affected GitHub accounts.
All versions of the tool (tj-actions/changed-files) were affected, and the issue was not restricted to specific users, languages or frameworks.
GitHub staff acted quickly to block further malicious activity, but the exposed data includes databases, programme credentials and secret keys.
