GitHub Actions Update Blocks Unsafe PR Checkouts Amid Workflow Injection Risks
GitHub released actions/checkout@v7 with a new default safeguard that blocks unsafe checkouts of code from untrusted pull requests in privileged pull_request_target and some workflow_run scenarios. The change is designed to stop common “pwn request” patterns that can expose a repository’s GITHUB_TOKEN, secrets, cache access, and runner environment when workflows fetch and execute attacker-controlled fork code. GitHub said the protection is available immediately in v7 and will be backported to supported major versions, while narrowly pinned deployments must be updated manually.
The move follows years of warnings about GitHub Actions supply-chain abuse and fresh examples showing how workflow misconfigurations can lead to token theft, cache poisoning, OIDC token abuse, and malicious package publication. Separately, a disclosed advisory tracked as GHSA-C3XH-98XP-6QHF described a command-injection flaw in a GitHub Actions workflow where an attacker could open an issue on a public repository with a crafted title and trigger shell execution on the runner, potentially exposing runner tokens and secrets including DISCORD_WEBHOOK_URL_ISSUE. Together, the developments underscore how untrusted repository input in CI workflows can quickly become credential exposure and downstream supply-chain compromise.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
GitHub schedules backport of checkout protection to supported major versions
GitHub said the new checkout protection will be backported to all currently supported major versions, while narrowly pinned versions will require manual upgrades. The backport date was stated explicitly in the source.
GitHub releases actions/checkout v7 with unsafe PR checkout protection
GitHub released actions/checkout v7 with a new default protection that blocks unsafe fork-based checkouts in pull_request_target workflows and certain workflow_run cases. The change is intended to stop common "pwn request" patterns that could expose the base repository's GITHUB_TOKEN, secrets, cache access, and runner environment.
GitHub Security Lab publicly documents pull_request_target workflow risk
The risky pattern in which privileged workflows check out and execute code from untrusted pull requests had been publicly documented by GitHub Security Lab since at least 2021, establishing the long-standing supply chain risk later addressed by GitHub.
Command injection in Discord notification workflow is disclosed
A disclosed GitHub Actions workflow vulnerability allows any authenticated GitHub user to trigger command injection by opening an issue with a crafted title on a public repository. The injected payload can execute on the workflow runner and expose sensitive data including runner access tokens and repository secrets such as DISCORD_WEBHOOK_URL_ISSUE.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
GitHub Actions flaws exposed repositories to token leaks and privileged workflow compromise
Researchers and maintainers disclosed multiple GitHub Actions security issues that could let attackers steal credentials or gain code execution in CI/CD pipelines. Sansec and Packagist warned that older Composer releases could print raw `GITHUB_TOKEN` values into GitHub Actions logs after rejecting GitHub’s newer hyphenated token format, creating a supply-chain risk for PHP projects, especially public repositories and older repositories where the default token still had write access. Composer issued fixes in versions `2.9.8`, `2.2.28`, and `1.10.28`, while GitHub rolled back the token format rollout to reduce immediate exposure. Separate disclosures showed how workflow design and cache handling can turn limited CI access into broader repository compromise. A newly assigned `CVE-2026-42603` affects OWASP BLT before `2.1.2`, where a privileged `pull_request_target` workflow checked out and executed code from an attacker-controlled fork, enabling remote code execution with repository write permissions. Earlier research on GitHub Actions cache poisoning described "Actions Cache Blasting," a technique that abuses client-controlled cache keys, cache eviction, and lingering runtime tokens to replace cached artifacts used by more privileged workflows, potentially leading to secret disclosure, release-signing compromise, and tampered build outputs without visible changes in source code or workflow logs.
May 14, 2026
Compromised GitHub Actions tags exfiltrated CI/CD secrets from runners
Threat actors compromised the popular GitHub Actions repositories `actions-cool/issues-helper` and `actions-cool/maintain-one-comment` by moving version tags to imposter commits outside the normal commit history, causing workflows that referenced those tags to fetch and run malicious code. Researchers said the payload downloaded the **Bun** JavaScript runtime, read memory from the GitHub Actions `Runner.Worker` process to recover decrypted secrets, and exfiltrated the data over HTTPS to the attacker-controlled domain `t.m-kosche[.]com`; workflows pinned to a known-good full commit SHA were not affected. GitHub later disabled access to the repository for a terms-of-service violation, while StepSecurity added the action to its Compromised Actions Policy and blocked the exfiltration domain through Harden-Runner. The incident highlights a broader GitHub Actions supply-chain risk in which CI/CD trust can be subverted through mutable references and weak integrity controls. Separate research showed that a modified Maven wrapper in a pull request could achieve code execution on GitHub-hosted runners and, if merged, later expose release secrets such as Maven publishing credentials and GPG material, underscoring the need for checksum validation on wrapper scripts and immutable pinning to trusted commit SHAs for third-party actions. StepSecurity also linked the same exfiltration infrastructure to the recent **Mini Shai-Hulud** activity targeting npm packages in the `@antv` ecosystem, suggesting the GitHub Actions compromise may be part of a wider supply-chain campaign.
May 19, 2026Backdoored `tj-actions/changed-files` GitHub Action Leaked CI Secrets from Workflow Logs
The widely used GitHub Action **`tj-actions/changed-files`** was compromised after an attacker gained write access to the repository and retargeted release tags to a malicious orphaned commit, causing workflows pinned to tags rather than immutable SHAs to run attacker-controlled code. The backdoor downloaded and executed a remote payload that scraped decrypted GitHub Actions secrets from process memory and printed them into workflow logs, exposing repositories that executed the action and creating acute risk for public projects where logs were openly accessible. The incident was detected after anomalous outbound network activity was observed, and the maintainer removed the malicious changes soon afterward. Follow-on analysis found the blast radius was substantial because the action was referenced across roughly **23,000 repositories** and many workflows were not pinned to a full commit hash. GitGuardian reported that among workflows executed during the compromise window, hundreds showed signs of exploitation and **603 secrets** were exposed in logs, including temporary GitHub tokens, DockerHub credentials, AWS keys, GitHub personal access tokens, Jira tokens, and cloud.gov credentials. Organizations using the action were urged to review workflow runs from March 14 onward, delete affected logs, rotate any exposed credentials, audit dependencies and commits, and pin third-party GitHub Actions to full commit SHAs to reduce future supply-chain risk.
May 27, 2026