GitHub Actions flaws exposed repositories to token leaks and privileged workflow compromise
Researchers and maintainers disclosed multiple GitHub Actions security issues that could let attackers steal credentials or gain code execution in CI/CD pipelines. Sansec and Packagist warned that older Composer releases could print raw GITHUB_TOKEN values into GitHub Actions logs after rejecting GitHub’s newer hyphenated token format, creating a supply-chain risk for PHP projects, especially public repositories and older repositories where the default token still had write access. Composer issued fixes in versions 2.9.8, 2.2.28, and 1.10.28, while GitHub rolled back the token format rollout to reduce immediate exposure.
Separate disclosures showed how workflow design and cache handling can turn limited CI access into broader repository compromise. A newly assigned CVE-2026-42603 affects OWASP BLT before 2.1.2, where a privileged pull_request_target workflow checked out and executed code from an attacker-controlled fork, enabling remote code execution with repository write permissions. Earlier research on GitHub Actions cache poisoning described "Actions Cache Blasting," a technique that abuses client-controlled cache keys, cache eviction, and lingering runtime tokens to replace cached artifacts used by more privileged workflows, potentially leading to secret disclosure, release-signing compromise, and tampered build outputs without visible changes in source code or workflow logs.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Packagist and researchers urge immediate Composer updates
Packagist and security researchers warned PHP projects to urgently update Composer, review recent CI logs, and investigate suspicious token activity. The guidance emphasized that GitHub's rollback reduced but did not eliminate the need to patch vulnerable Composer installations.
Composer releases emergency patches for GitHub token leak
Composer maintainers released fixes in versions 2.9.8, 2.2.28, and 1.10.28 for a flaw that could print raw GitHub Actions GITHUB_TOKEN values into CI logs when validating newer token formats. The bug created supply-chain risk for public repositories and older repositories with read/write default token permissions.
GitHub rolls back new token format rollout
After the Composer compatibility issue surfaced, GitHub temporarily rolled back deployment of the new token format to reduce immediate exposure risk. The rollback was described as a temporary mitigation while users updated affected Composer versions.
CVE-2026-42603 is recorded for OWASP BLT workflow vulnerability
CVE-2026-42603 was recorded for the OWASP BLT GitHub Actions vulnerability affecting versions before 2.1.2. The issue was assigned a high-severity CVSS score and linked to a GitHub security advisory.
OWASP BLT fixes pull_request_target RCE issue in version 2.1.2
OWASP BLT fixed a GitHub Actions workflow flaw in version 2.1.2 where `.github/workflows/pre-commit-fix.yaml` used `pull_request_target` while checking out and executing untrusted fork code. The issue could allow remote code execution with repository write permissions.
GitHub begins rolling out the new token format
GitHub started rolling out the new GitHub token format, causing some GitHub Actions workflows using older Composer versions to reject and print tokens in CI logs. The issue particularly affected PHP CI pipelines that registered GITHUB_TOKEN in Composer auth configuration.
GitHub announces new hyphenated GitHub App token format
GitHub announced a new GitHub App installation token format that included hyphens. This format change later exposed compatibility problems in Composer's token validation logic.
Research discloses GitHub Actions cache poisoning technique
Adnan Khan published research on 'Actions Cache Blasting,' describing how attackers with code execution in a default-branch workflow could steal cache credentials, evict caches, and poison them for more privileged downstream workflows. The write-up included demonstrations against repositories such as angular/angular, mdn/content, hyperledger/besu, google/temporian, and chainguard-dev/terraform-provider-cosign.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Packagist Urges Immediate Composer Update After GitHub Actions Token Leak - Cyber Security News
cybersecuritynews.com
Open sourceComposer 2.9.8 and 2.2.28 fix GitHub Actions token disclosure in error messages
blog.packagist.com
Open sourceGithub Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs · Advisory · composer/composer · GitHub
github.com
Open sourceComposer vulnerability leaks GitHub tokens, threatens PHP supply chain | Sansec
sansec.io
Open sourcePackagist Urges Immediate Composer Update After GitHub Actio...
socket.dev
Open sourceCVE-2026-42603 - OWASP BLT: pre-commit-fix.yaml executes untrusted fork code via pull_request_target
cvefeed.io
Open sourceThe Monsters in Your Build Cache - GitHub Actions Cache Poisoning | Adnan Khan - Security Research
adnanthekhan.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Compromised GitHub Actions tags exfiltrated CI/CD secrets from runners
Threat actors compromised the popular GitHub Actions repositories `actions-cool/issues-helper` and `actions-cool/maintain-one-comment` by moving version tags to imposter commits outside the normal commit history, causing workflows that referenced those tags to fetch and run malicious code. Researchers said the payload downloaded the **Bun** JavaScript runtime, read memory from the GitHub Actions `Runner.Worker` process to recover decrypted secrets, and exfiltrated the data over HTTPS to the attacker-controlled domain `t.m-kosche[.]com`; workflows pinned to a known-good full commit SHA were not affected. GitHub later disabled access to the repository for a terms-of-service violation, while StepSecurity added the action to its Compromised Actions Policy and blocked the exfiltration domain through Harden-Runner. The incident highlights a broader GitHub Actions supply-chain risk in which CI/CD trust can be subverted through mutable references and weak integrity controls. Separate research showed that a modified Maven wrapper in a pull request could achieve code execution on GitHub-hosted runners and, if merged, later expose release secrets such as Maven publishing credentials and GPG material, underscoring the need for checksum validation on wrapper scripts and immutable pinning to trusted commit SHAs for third-party actions. StepSecurity also linked the same exfiltration infrastructure to the recent **Mini Shai-Hulud** activity targeting npm packages in the `@antv` ecosystem, suggesting the GitHub Actions compromise may be part of a wider supply-chain campaign.
May 19, 2026Backdoored `tj-actions/changed-files` GitHub Action Leaked CI Secrets from Workflow Logs
The widely used GitHub Action **`tj-actions/changed-files`** was compromised after an attacker gained write access to the repository and retargeted release tags to a malicious orphaned commit, causing workflows pinned to tags rather than immutable SHAs to run attacker-controlled code. The backdoor downloaded and executed a remote payload that scraped decrypted GitHub Actions secrets from process memory and printed them into workflow logs, exposing repositories that executed the action and creating acute risk for public projects where logs were openly accessible. The incident was detected after anomalous outbound network activity was observed, and the maintainer removed the malicious changes soon afterward. Follow-on analysis found the blast radius was substantial because the action was referenced across roughly **23,000 repositories** and many workflows were not pinned to a full commit hash. GitGuardian reported that among workflows executed during the compromise window, hundreds showed signs of exploitation and **603 secrets** were exposed in logs, including temporary GitHub tokens, DockerHub credentials, AWS keys, GitHub personal access tokens, Jira tokens, and cloud.gov credentials. Organizations using the action were urged to review workflow runs from March 14 onward, delete affected logs, rotate any exposed credentials, audit dependencies and commits, and pin third-party GitHub Actions to full commit SHAs to reduce future supply-chain risk.
May 27, 2026
GitHub Actions Update Blocks Unsafe PR Checkouts Amid Workflow Injection Risks
GitHub released `actions/checkout@v7` with a new default safeguard that blocks unsafe checkouts of code from untrusted pull requests in privileged `pull_request_target` and some `workflow_run` scenarios. The change is designed to stop common “pwn request” patterns that can expose a repository’s `GITHUB_TOKEN`, secrets, cache access, and runner environment when workflows fetch and execute attacker-controlled fork code. GitHub said the protection is available immediately in v7 and will be backported to supported major versions, while narrowly pinned deployments must be updated manually. The move follows years of warnings about GitHub Actions supply-chain abuse and fresh examples showing how workflow misconfigurations can lead to token theft, cache poisoning, OIDC token abuse, and malicious package publication. Separately, a disclosed advisory tracked as `GHSA-C3XH-98XP-6QHF` described a command-injection flaw in a GitHub Actions workflow where an attacker could open an issue on a public repository with a crafted title and trigger shell execution on the runner, potentially exposing runner tokens and secrets including `DISCORD_WEBHOOK_URL_ISSUE`. Together, the developments underscore how untrusted repository input in CI workflows can quickly become credential exposure and downstream supply-chain compromise.
Jun 21, 2026