요약 - Typosquatting을 이용한 공급망 공격은 오래전부터 인기
- CI/CD 솔루션 GitHub Actions이 Typosquatting에 취약한 것이 확인
내용 - CI/CD 솔루션 GitHub Actions이 Typosquatting에 취약
> 개발자가 알아차리지 못하는 사이에 애플리케이션이 악성코드를 실행하도록 만들 수 있음
> 누구나 임시 이메일 계정으로 GitHub 계정을 만들어 GitHub Action을 게시할 수 있기 때문에 가능

- GitHub Actions에서 Typosquatting를 악용한 약 198개의 파일이 발견
기타 - 이름과 출처를 신뢰할 수 있는지 확인

 

보안뉴스

 

GitHub Actions Vulnerable to Typosquatting, Exposing Developers to Hidden Malicious Code

Typosquatting in GitHub Actions is a rising security threat, risking software supply chain attacks.

thehackernews.com

+ Recent posts