SC-PYTORCH-RUNNER-2024
CI/CD · GitHub Actions · pytorch/pytorch
Résumé
On January 11, 2024 Praetorian researchers John Stawinski and Adnan Khan publicly disclosed a critical supply-chain attack against PyTorch's GitHub Actions CI, originally reported on August 9, 2023. They first merged a trivial markdown typo fix, which promoted their account to a returning contributor whose pull-request workflows no longer required manual approval. PyTorch ran CI on persistent, non-ephemeral self-hosted runners left at GitHub's default setting that lets fork pull-request workflows execute on them, so a malicious draft PR running a curl-pipe-bash payload executed attacker code directly on the long-lived runner. Because the runner was not torn down between jobs, the attackers stole the runner's GitHub Actions registration token plus a write-scoped GITHUB_TOKEN, the GH_PYTORCHBOT_TOKEN and UPDATEBOT_TOKEN personal access tokens reaching 90-plus repositories, and the aws-pytorch-uploader AWS keys. This was a textbook self-hosted-runner plus fork-PR poisoned pipeline execution (pwn request) that enabled release and S3 artifact poisoning of distributed PyTorch binaries.
Comment l’éviter dans votre code
- Use ephemeral, single-job isolated self-hosted runners so attacker code cannot persist and harvest later jobs' credentials.
- Require manual approval for workflows from first-time and fork contributors, and do not auto-trust returning contributors.
- Never let fork pull-request workflows run on self-hosted runners holding secrets or cloud keys.
- Scope GITHUB_TOKEN to read-only by default and avoid storing broad PATs and AWS keys on build runners.
- Move release and artifact uploads behind short-lived OIDC cloud roles with environment protection rules and required reviewers.
Références
- https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/
- https://www.praetorian.com/blog/tensorflow-supply-chain-compromise-via-self-hosted-runner-attack/
- https://www.csoonline.com/article/1290656/researchers-demo-new-ci-cd-attack-techniques-in-pytorch-supply-chain-attack.html
- https://github.com/jstawinski/GitHub-Actions-Attack-Diagram
Vulnérabilités liées
Tout Supply chain →- LOWGHSA-9V8J-9C9G-W66C
OpenClaw: Bootstrap token replay could widen pending pairing scopes
- HIGHGHSA-5CJ2-3JR2-5H77
OpenClaw: Shell positional parameters could weaken strict inline-eval checks
- MEDIUMGHSA-FJV8-J4P5-CR9M
Daytona: Path traversal in sandbox volume id mounts arbitrary host paths into the sandbox — cross-tenant data access and host escape
- MEDIUMGHSA-2F86-9CP8-6HCF
Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets
- MEDIUMGHSA-X7CF-6GP3-Q5F8
Duplicate Advisory: MCP Streamable HTTP redirects could forward configured custom headers to another origin
- HIGHGHSA-F989-C77F-R2CQ
Crawl4AI: LLM credential exfiltration in Docker server via request base_url and env: token resolution