Hacker News new | ask | show | jobs
by kurmiashish 459 days ago
Disclaimer: I am a co-founder of StepSecurity.

StepSecurity Harden-Runner detected this security incident by continuously monitoring outbound network calls from GitHub Actions workflows and generating a baseline of expected behaviors. When the compromised tj-actions/changed-files Action was executed, Harden-Runner flagged it due to an unexpected endpoint appearing in the network traffic—an anomaly that deviated from the established baseline. You can checkout the project here: https://github.com/step-security/harden-runner
2 comments
cyrnel 459 days ago
The advertising in this article is making it actively difficult to figure out how to remediate this issue. The "recovery steps" section just says "start our 14 day free trial".

The security industry tolerates self-promotion only to the extent that the threat research benefits everyone.

link
kurmiashish 458 days ago
Thank you, cyrnel, for the feedback! We are trying our best to help serve the community. Now, we have separate recovery steps for general users and our enterprise customers.
link
cyrnel 458 days ago
Thanks for the edit! In "incident response mode" every moment counts!
link
shawabawa3 459 days ago
A simpler method to detect this would be to store GitHub action tag hashes and freeze an action if any tag is changed
link