CodeQLEAKED - GitHub Supply Chain Attack Allows Code Execution Using CodeQL Repositories

“If an attacker removed and then added a v3 tag to their malicious commit, every single repository using the default CodeQL workflow would execute their malicious code,” explained the researcher in their report. A significant vulnerability in GitHub’s CodeQL actions could have permitted attackers to execute malicious code across hundreds of thousands of repositories. The compromised token had significant privileges, including “Contents: write,” “Actions: write,” and “Packages: write,” allowing for extensive repository manipulation. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. When users enable CodeQL in their repository settings, GitHub creates a workflow that executes actions from the github/codeql-action repository referenced by specific tags. The vulnerability, assigned CVE-2025-24362, originated from a publicly exposed GitHub token in workflow artifacts that created a small but exploitable window of opportunity. Similar to the recent tj-actions/changed-files incident, it demonstrates how seemingly minor issues in development tooling can cascade into significant security risks for the broader ecosystem. Kaaviya is a Security Editor and fellow reporter with Cyber Security News.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 27 Mar 2025 08:30:18 +0000

Cyber News related to CodeQLEAKED - GitHub Supply Chain Attack Allows Code Execution Using CodeQL Repositories

CVE-2025-24362 - In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the ...
4 months ago Tenable.com

Software Supply Chain Security Checklist - In the ever-evolving landscape of digital innovation, the integrity of software supply chains has become a pivotal cornerstone for organizational security. Software supply chain security is not just about protecting code - it's about safeguarding the ...
1 year ago Feeds.dzone.com

CVE-2024-25129 - The CodeQL CLI repo holds binaries for the CodeQL command line interface (CLI). Prior to version 2.16.3, an XML parser used by the CodeQL CLI to read various auxiliary files is vulnerable to an XML External Entity attack. If a vulnerable version of ...
1 year ago

CVE-2021-32638 - Github's CodeQL action is provided to run CodeQL-based code scanning on non-GitHub CI/CD systems and requires a GitHub access token to connect to a GitHub repository. The runner and its documentation previously suggested passing the GitHub token ...
2 years ago

CodeQLEAKED - GitHub Supply Chain Attack Allows Code Execution Using CodeQL Repositories - “If an attacker removed and then added a v3 tag to their malicious commit, every single repository using the default CodeQL workflow would execute their malicious code,” explained the researcher in their report. A significant ...
2 months ago Cybersecuritynews.com CVE-2025-24362

New "MITRE ATT&CK-like" framework outlines software supply chain attack TTPs - A new open framework seeks to outline a comprehensive and actionable way for businesses and security teams to understand attacker behaviors and techniques specifically impacting the software supply chain. The Open Software Supply Chain Attack ...
2 years ago Csoonline.com

Securing the code: navigating code and GitHub secrets scanning - Enter the world of GitHub secrets scanning tools, the vigilant sentinels of your digital gala. Secrets scanning in GitHub is anchored by two fundamental strategies: proactive prevention and reactive detection, each serving a critical function in ...
1 year ago Securityboulevard.com

GitHub, PyTorch and More Organizations Found Vulnerable to Self-Hosted Runner Attacks - Last July, we published an article exploring the dangers of vulnerable self-hosted runners and how they can lead to severe software supply chain attacks. GitHub itself was found vulnerable, as well as various notable organizations, such as PyTorch, ...
1 year ago Securityboulevard.com

23,000 GitHub Repositories Targeted In Supply Chain Attack - In a massive security breach discovered this week, approximately 23,000 GitHub repositories have been compromised in what security experts are calling one of the largest supply chain attacks to date. Organizations should review their software supply ...
3 months ago Cybersecuritynews.com

CISA Announces Renewal of the Information and Communications Technology Supply Chain Risk Management Task Force - The Task Force, chaired by CISA's National Risk Management Center and the Information Technology and Communications Sector Coordinating Councils, is a public-private partnership composed of a diverse range of representatives from public and private ...
1 year ago Cisa.gov

GitHub code-signing certificates stolen - Another day, another access-token-based database breach. This time, the victim is Microsoft's GitHub business. On December 6, 2022, repositories from our atom, desktop, and other deprecated GitHub-owned organizations were cloned by a compromised ...
2 years ago Nakedsecurity.sophos.com

How AI could bolster software supply chain security - SAN FRANCISCO - While supply chain risks remain prevalent across enterprises of all sizes, Synopsys' Tim Mackey said AI tools will enable developers more than attackers - at least for now. Supply chain security was a significant topic that speakers ...
1 year ago Techtarget.com

Recent GitHub supply chain attack traced to leaked SpotBugs token - On March 11, 2025, the attacker used the stolen PAT to invite another dummy user (jurkaofavak) into SpotBugs, who pushed a malicious GitHub Actions workflow that exfiltrated another PAT belonging to a Reviewdog maintainer (RD_MNTNR) who also had ...
2 months ago Bleepingcomputer.com

GitHub says hackers cloned code-signing certificates in breached repository - GitHub said unknown intruders gained unauthorized access to some of its code repositories and stole code-signing certificates for two of its desktop applications: Desktop and Atom. Code-signing certificates place a cryptographic stamp on code to ...
2 years ago Packetstormsecurity.com

UK, ROK sound alarm over North Korean supply chain attacks The Register - The national cybersecurity organizations of the UK and the Republic of Korea have issued a joint advisory warning of an increased volume and sophistication of North Korean software supply chain attacks. "In an increasingly digital and interconnected ...
1 year ago Theregister.com Lazarus Group

Supply Chain Cybersecurity - CISO Risk Management Guide - As regulatory scrutiny intensifies and cyber threats grow more sophisticated, CISOs must adopt a proactive, strategic approach to supply chain cybersecurity risk management, making it a boardroom priority and an integral part of organizational ...
1 month ago Cybersecuritynews.com

GitHub Action supply chain attack exposed secrets in 218 repos - The compromise of GitHub Action tj-actions/changed-files has impacted only a small percentage of the 23,000 projects using it, with it estimated that only 218 repositories exposed secrets due to the supply chain attack. According to data shared by ...
3 months ago Bleepingcomputer.com

Attackers Finding Novel Ways to Abuse GitHub: ReversingLabs - Threat actors are finding new ways to take advantage of GitHub in hopes of tricking developers into putting malicious code into their software and sending to users downstream, according to researchers with ReversingLabs. Code repositories like GitHub ...
1 year ago Securityboulevard.com

New Class of CI/CD Attacks Could Have Led to PyTorch Supply Chain Compromise - A newly disclosed class of CI/CD attacks could have allowed attackers to inject malicious code into the PyTorch repository, leading to massive supply chain compromise, Praetorian security researcher John Stawinski says. Initially detailed in December ...
1 year ago Securityweek.com

SCS 9001 2.0 reveals enhanced controls for global supply chains - In this Help Net Security interview, Mike Regan, VP of Business Performance at TIA, discusses SCS 9001 Release 2.0, a certifiable standard crafted to assist organizations in operationalizing the NIST and other government guidelines and frameworks. ...
1 year ago Helpnetsecurity.com

ML Model Repositories: The Next Big Supply Chain Attack Target - The techniques are similar to ones that attackers have successfully used for years to upload malware to open source code repositories, and highlight the need for organizations to implement controls for thoroughly inspecting ML models before use. ...
1 year ago Darkreading.com

Polyfill.io, BootCDN, Bootcss, Staticfile attack traced to 1 operator - The recent large scale supply chain attack conducted via multiple CDNs, namely Polyfill.io, BootCDN, Bootcss, and Staticfile that affected anywhere from 100,000 to tens of millions of websites has been traced to a common operator, according to ...
11 months ago Bleepingcomputer.com

Developer Accounts Compromised Due to Credential Reuse in WordPress.org Supply Chain Attack - On June 24th, 2024, the Wordfence Threat Intelligence Team became aware of a WordPress plugin, Social Warfare, that was infected with malware through the WordPress repository. We immediately notified the WordPress Plugin's Team and they removed the ...
11 months ago Wordfence.com

New Survey Finds a Paradox of Confidence in Software Supply Chain Security - Get results of and analysis on ESG's new survey on supply chain security. New research reveals that, despite increasing attacks and incidents against software supply chains, a surprising number of firms believe their defense is sufficient. This gap ...
1 year ago Securityboulevard.com

Securing the Supply Chain - Before a supply chain can be improved, it must be understood. Rather than attacking one target, it is more effective to manipulate the supply chain to gain access to multiple targets. The 2013 Target breach was an example of a supply chain attack, as ...
2 years ago Securityweek.com