Comment
Author: Admin | 2025-04-27
Found inside the repository but not used inside GHA, performed on June 20, 2022 This next repository we analyzed was published on GitHub in April 2022. Similar variations of the same GHA script can be found from different users. Figure 6 shows the GHA workflow script labeled as kapten_crypto, (retrieved here). This is set to be manually triggered with the workflow dispatch directive. Figure 6. GHA workflow script labeled as kapten_crypto Looking at the repository structure, we can clearly see how it shows that the user does not understand GitHub Actions very well, having created the GHA YAML in different locations with different names and extensions. We saw that the worflows file on the repository root as well as the one found on .GitHub/workflows and .github/Workflows were all the same. Someone familiar with GHA would know that the workflow scripts should be placed under .github/workflows inside the root directory and with their YAML/YML extension for the scripts to work. Workflows with “W” in uppercase are also accepted, but it is important to remember adding “S” at the end. Figure 7. A GHA file being placed in multiple locations showing the malicious actor’s apparent lack of understanding of the service Going back to the GHA script on Figure 6, we can see a few similarities with the previous one we just analyzed. It uses the multidimensional matrix strategy that sets the max parallel jobs to 5 and disables the fail-fast approach by setting it to false on lines 7 to 12.
Add Comment