Recent open-source supply chain attacks traced to GitHub Actions include Ultralytics shipping a cryptocurrency miner to PyPI, the nx packages compromising thousands of developer machines, and tj-actions leaking secrets from 23,000 repositories—incidents the author attributes to insecure platform defaults designed for private enterprise use rather than anonymous forks and pull requests. The attacks exploited features including the pullrequesttarget trigger providing untrusted code execution with secret access, mutable git tags allowing tag hijacking, and shared GitHub Actions cache entries poisoned by malicious pull requests.
Topicle Beta
1 comment
Recent open-source supply chain attacks traced to GitHub Actions include Ultralytics shipping a cryptocurrency miner to PyPI, the nx packages compromising thousands of developer machines, and tj-actions leaking secrets from 23,000 repositories—incidents the author attributes to insecure platform defaults designed for private enterprise use rather than anonymous forks and pull requests. The attacks exploited features including the pullrequesttarget trigger providing untrusted code execution with secret access, mutable git tags allowing tag hijacking, and shared GitHub Actions cache entries poisoned by malicious pull requests.