Day: April 4, 2025

This Week In Security: Target Coinbase, Leaking Call Records, And Microsoft Hotpatching

April 4, 2025 by 2 Comments

We know a bit more about the GitHub Actions supply chain attack from last month. Palo Alto’s Unit 42 has been leading the charge on untangling this attack, and they’ve just released an update to their coverage. The conclusion is that Coinbase was the initial target of the attack, with the open source agentkit package first (unsuccessfully) attacked. This attack chain started with pull_request_target in the spotbugs/sonar-findbugs repository.

The pull_request_target hook is exceptionally useful in dealing with pull requests for a GitHub repository. The workflow here is that the project defines a set of Continuous Integration (CI) tests in the repository, and when someone opens a new Pull Request (PR), those CI tests run automatically. Now there’s an obvious potential problem, and Github thought of it and fixed it a long time ago. The GitHub Actions are defined right in the repository, and letting any pull request run arbitrary actions is a recipe for disaster. So GitHub always uses actions as they are defined in the repository itself, ignoring any incoming changes in the PR. So pull_request_target is safe now, right? Yes, with some really big caveats.

The simplest security problem is that many projects have build scripts in the repository, and those are not considered part of GitHub Actions by GitHub. So include malicious code in such a build script, make it a PR that runs automatically, and you have access to internal elements like organization and repository secrets and access tokens. The most effective mitigation against this is to require approval before running workflows on incoming PRs.

So back to the story. The spotbugs/sonar-findbugs repository had this vulnerability, and an attacker used it to export secrets from a GitHub Actions run. One of those secrets happened to be a Personal Access Token (PAT) belonging to a spotbugs maintainer. That PAT was used to invite a throwaway account, [jurkaofavak], into the main spotbugs repository. Two minutes after being added, the [jurkaofavak] account created a new branch in spotbugs/spotbugs, and deleted it about a second later. This branch triggered yet another malicious CI run, now with arbitrary Github Actions access rather than just access through a build script. This run leaked yet another Personal Access Token, belonging to a maintainer that worked on both the spotbugs and reviewdog projects. Continue reading “This Week In Security: Target Coinbase, Leaking Call Records, And Microsoft Hotpatching”

Keep Bears At Bay With The Crackle Of 280,000 Volts

April 4, 2025 by 42 Comments

Bears! Are they scared of massive arcs that rip through the air, making a lot of noise in the process? [Jay] from the Plasma Channel sure hopes so, because that’s how his bear deterrent works!

[Jay] calls it the Bear Blaster 5000. Right from the drop, this thing looks like some crazy weapon out of Halo. That’s because it throws huge arcs at 280,000 volts. The basic concept behind it is simple enough—a battery drives a circuit which generates (kinda) low voltage AC. This is fed to the two voltage multipliers which are set up with opposite polarity to create the greatest possible potential difference between the two electrodes they feed. The meaty combination is able to arc across electrodes spaced over four inches apart. It’s all wrapped up in a super-cool 3D printed housing that really shows off the voltage multiplier banks.

Continue reading “Keep Bears At Bay With The Crackle Of 280,000 Volts”

A Portable Electronics Workstation

April 4, 2025 by 26 Comments

You don’t see them as often as you used to, but it used to be common to see “electronics trainers” which were usually a collection of components and simple equipment combined with a breadboard, often in a little suitcase. We think [Pro Maker_101’s] portable electronics workstation is in the same kind of spirit, and it looks pretty nice.

The device uses a 3D printed case and a custom PC board. There are a number of components, although no breadboard. There is a breakout board for Raspberry Pi GPIO, though. So you could use the screw terminals to connect to an external breadboard. We were thinking you could almost mount one as a sort of lid so it would open up like a book with the breadboard on one side and the electronics on the other. Maybe version two?

One thing we never saw on the old units? An HDMI flat-screen display! We doubt you’d make one exactly like this, of course, but that’s part of the charm. You can mix and match exactly what you want and make the prototyping station of your dreams. Throw in a small portable soldering iron, a handheld scopemeter, and you can hack anywhere.

We’d love to see something like this that was modular. Beats what you could build in 1974.

Continue reading “A Portable Electronics Workstation”