Threat actors are leveraging typosquatting to target GitHub Actions, a CI/CD platform, by exploiting misspelled action names. This allows attackers to run malicious code in workflows without developers realizing it.
According to Orca Security, adversaries create repositories with names similar to legitimate GitHub Actions, tricking users into invoking malicious actions when they make a typo in the setup. These malicious actions can tamper with source code, steal secrets, or introduce subtle bugs and backdoors, impacting all future builds and deployments.
A search on GitHub revealed 198 files that mistakenly referenced "action/checkout" or "actons/checkout" instead of "actions/checkout." Since GitHub Actions run with repository access, a compromised action could push malicious changes across multiple projects within an organization.
This threat highlights the importance of vigilance in preventing such attacks, especially considering the unknown risks to private repositories.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067