The external script identifies links to other workbooks in the stolen data, exfiltrates the discovered workbooks, and continues across all workbooks it can find
大多数人认为数据泄露通常局限于被直接攻击的文件,但作者展示了攻击者能够通过分析泄露数据中的链接自动发现并传播到其他相关工作簿,这挑战了人们对数据泄露范围的传统认知,揭示了AI工具可能导致的级联风险。
Within eight days, the same campaign had cascaded from GitHub Actions to Docker Hub, npm, PyPI, and the VS Code extension marketplace. With just one token across five ecosystems, thousands of organizations were potentially impacted.
令人惊讶的是:一个单一的访问令牌可以在短短八天内横跨五个主要生态系统(GitHub Actions、Docker Hub、npm、PyPI和VS Code扩展市场),自动传播恶意代码,影响数千个组织。这种级联供应链攻击展示了现代软件生态系统的脆弱性。