Typosquatting Action
Description
Workflows using actions with suspicious naming patterns (similar to popular actions but with slight variations) may be victims of typosquatting attacks: attackers create malicious actions with names similar to legitimate ones (e.g., actions/checkout vs action/checkout, actions/setup-node vs actions/setup-nodejs) to trick users into using compromised versions. Typosquatting is a common supply-chain attack vector that can lead to secret exfiltration, code injection, or repository compromise. 1
Vulnerable Instance
- Workflow uses an action with a name suspiciously similar to a popular action.
- Action may be a typosquatting attempt to trick users.
- Malicious action can compromise workflows and exfiltrate secrets.
name: Build with Suspicious Action
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: action/checkout@v4 # Suspicious - should be actions/checkout
- run: npm testMitigation Strategies
Review the action repository
Visit the action’s GitHub repository and check repository activity, maintenance, code quality, and security posture. Verify it’s the legitimate action you intend to use.Verify the publisher
Confirm the publisher is trusted and legitimate. Check for security advisories, review repository history, and verify the publisher matches the official organization.Compare with official action
Compare the action name, repository, and publisher with the official action. Look for subtle differences in spelling, organization name, or repository structure.Use official actions
Prefer actions from official organizations (e.g.,actions/*,github/*) or verified publishers. Double-check action names before using them.Report suspicious actions
If you identify a typosquatting attempt, report it to GitHub Security. Review all actions in your workflows for similar patterns.Pin to commit SHA
Even for trusted actions, pin to specific commit SHAs rather than tags to prevent compromise if the action repository is later compromised.
Secure Version
name: Build with Verified Action
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- - uses: action/checkout@v4 # Suspicious - should be actions/checkout
+ - uses: actions/checkout@8f4b7f84884ec3e152e95e913f196d7a537752ca # Official, pinned
- run: npm test
Impact
| Dimension | Severity | Notes |
|---|---|---|
| Likelihood |  | Typosquatting attacks are less common but can be effective when users don’t carefully verify action names. |
| Risk |  | Malicious typosquatting actions can exfiltrate secrets, inject backdoors, or compromise the entire CI/CD pipeline. |
| Blast radius |  | Compromised actions can affect all workflows that use them, potentially compromising the entire repository and its secrets. |
References
- GitHub Docs, “Security hardening for GitHub Actions,” https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions 1
GitHub Docs, “Security hardening for GitHub Actions,” https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions ↩︎ ↩︎