The Forensic Trail On GitHub: Hunting For Supply Chain Activity

Ultralytics. tj-actions. Grafana. GitHub Actions are increasingly targeted by attackers and implicated in industry-impacting incidents. Thankfully, GitHub's public surface offers numerous threat intelligence sources for the discerning defender. This talk covers a comprehensive methodology for investigating and tracking real-world supply chain attacks exploiting GitHub Actions, inspired by our work responding to the aforementioned incidents. It adds a new dimension and set of tools to threat intelligence research.

We'll expose the wealth of intelligence available directly from both GitHub and the underlying Git plane. Through concrete demos, we'll show how to effectively pivot on user metadata and behavioral heuristics, uncover attacker forks, and recover deleted gists and commits. We'll also demonstrate how to trace attacker aliases, identify targets of reconnaissance, and unmask attackers and researchers in real-time. Attackers are hiding in the complexity of this ecosystem, but with automation we can peel back the noise, empowering detection and investigation.

This approach is practical, repeatable, and relies exclusively on publicly available data, ensuring accessibility for all defenders without the need for private threat intelligence feeds.