This research reviews an attack vector allowing the compromise of GitHub repositories, which not only has severe consequences in itself but could also potentially lead to high-level access to cloud environments.
This is made possible through the abuse of GitHub Actions artifacts generated as part of organizations’ CI/CD workflows. A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume. This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access.
Read more…
Source: Palo Alto Unit 42
Related:
- Void Dokkaebi uses fake job interview lure to spread malware via code repositories
April 21, 2026
Void Dokkaebi, also tracked as Famous Chollima, is a North Korea-aligned intrusion set that systematically targets software developers who hold cryptocurrency wallet credentials, signing keys, and access to continuous integration/continuous delivery (CI/CD) pipelines and production infrastructure. As previously documented by TrendAI Research, the group poses as recruiters from cryptocurrency and AI firms, luring developers into cloning ...
- Adaptavist Group breach spawns imposter emails as ransomware crew claims mega-haul
April 21, 2026
UK enterprise software consultancy The Adaptavist Group is investigating a security breach after an intruder logged in with stolen credentials, while a ransomware crew claims it grabbed far more than the company is currently admitting. In a letter to customers, Adaptavist’s CEO Simon Haighton-Williams said the biz detected an “IT security incident” in late March after ...
- Amtrak data breach exposes 2.1M records, reports suggest larger leak
April 20, 2026
Booking a train ticket shouldn’t come with a side of data exposure, but that’s the situation Amtrak customers are now facing. The rail service is dealing with a breach after hackers claimed to have accessed and released millions of customer records online. The exposed dataset was confirmed to contain at least 2.1 million unique accounts, although ...
- North Korean hackers blamed for $290M crypto theft
April 20, 2026
Over the weekend, hackers stole more than $290 million in cryptocurrency from Kelp DAO, a protocol that allows users to earn yields on idle crypto investments. By Monday, LayerZero, one of the projects affected by the hack, accused North Korea of carrying out the heist. The hack is now the largest crypto theft of the year ...
- Mythos: An AI tool too powerful for public release
April 20, 2026
Anthropic’s most capable model to date, Claude Mythos Preview (aka Mythos), has been described as a “step change” in AI performance, especially on cybersecurity tasks. Anthropic tried to keep Mythos a secret until a few weeks ago, when a data leak revealed the existence of what the company said was its most powerful artificial intelligence to ...
- Hackers are abusing Apple account notifications to distribute malware, steal money and data
April 20, 2026
Scammers have found a way to abuse Apple’s email notification system to deliver phishing messages and trick people into giving away sensitive data and system access. Recently, people started receiving emails from the email.apple.com domain, notifying them of a $899 iPhone purchase via PayPal. The email also shared a phone number for the victims to call, ...