TensorFlow instances on GitHub and PyPi could have been subjected to supply chain attacks involving the exploitation of continuous integration and continuous delivery vulnerabilities within the open-source machine learning framework, reports The Hacker News.
Aside from enabling malicious GitHub deployments, successful attacks could also facilitate remote code execution on self-hosted GitHub runners, as well as GitHub Personal Access Token retrieval, according to a report from Praetorian. Further investigation revealed old fork pull requests on TensorFlow workflows on self-hosted runners, which prompted CI/CD workflows even without approval, as well as the presence of a non-ephemeral self-hosted runner and GITHUB_TOKEN having write permissions in workflow logs. Moreover, malicious Python files could also be injected into packages through the use of the AWS_PYPI_ACCOUNT_TOKEN.
"An attacker could also use the GITHUB_TOKEN's permissions to compromise the JENKINS_TOKEN repository secret, even though this secret was not used within workflows that ran on the self-hosted runners," added researchers.