Supply chain attacks possible with TensorFlow CI/CD misconfigurations

TensorFlow instances on GitHub and PyPi could have been subjected to supply chain attacks involving the exploitation of continuous integration and continuous delivery vulnerabilities within the open-source machine learning framework, reports The Hacker News. Aside from enabling malicious GitHub deployments, successful attacks could also facilitate remote code execution on self-hosted GitHub runners, as well as GitHub Personal Access Token retrieval, according to a report from Praetorian. Further investigation revealed old fork pull requests on TensorFlow workflows on self-hosted runners, which prompted CI/CD workflows even without approval, as well as the presence of a non-ephemeral self-hosted runner and GITHUB_TOKEN having write permissions in workflow logs. Moreover, malicious Python files could also be injected into packages through the use of the AWS_PYPI_ACCOUNT_TOKEN. "An attacker could also use the GITHUB_TOKEN's permissions to compromise the JENKINS_TOKEN repository secret, even though this secret was not used within workflows that ran on the self-hosted runners," added researchers.