This research reviews an attack vector allowing the compromise of GitHub repositories, which not only has severe consequences in itself but could also potentially lead to high-level access to cloud environments.
This is made possible through the abuse of GitHub Actions artifacts generated as part of organizations’ CI/CD workflows. A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume. This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access.
Read more…
Source: Palo Alto Unit 42
Related:
- North Korea’s Lazarus Group targets healthcare orgs with Medusa ransomware
February 24, 2026
North Korea’s Lazarus Group appears to have added another tool to its kit. It has begun using Medusa ransomware in extortion attacks targeting at least one US healthcare organization and an unnamed victim in the Middle East, according to Symantec and Carbon Black threat hunters. The US healthcare attempt failed, while the Middle East organization was ...
- Fake Zoom meeting “update” silently installs surveillance software
February 24, 2026
A fake Zoom meeting website is silently pushing surveillance software onto Windows machines. Visitors land on a convincing imitation of a Zoom video call. Moments later, an automatic “Update Available” countdown downloads a malicious installer—without asking for permission. The software being installed is a covert build of Teramind, a commercial monitoring tool companies use to record ...
- Russian hackers target European firms with new spear-phishing cyberattacks
February 24, 2026
APT28, the infamous Russian state-sponsored hacking group also known as Fancy Bear, or Sofacy, has been observed targeting “specific entities” in Western and Central Europe with infostealers. In a newly released report, security researchers Lab52 from S2 Grupo detailed “Operation MacroMaze”, which has been ongoing since at least late September 2025 through January 2026. The campaign ...
- Australia: Cyber attack takes major chicken processor Hazeldenes offline leaving businesses without meat
February 23, 2026
A cyber attack at major chicken meat processor Hazeldenes in central Victoria has led it to shutdown its wi-fi system on site, and a shortage of chicken at pubs and butchers across the state. Retail and industry have told the ABC that the chicken meat processor has been unable to fill some orders because it cannot ...
- AWS says more than 600 FortiGate firewalls hit in AI-augmented campaign
February 23, 2026
Cybercriminals armed with off-the-shelf generative AI tools compromised more than 600 internet-exposed FortiGate firewalls across 55 countries in just over a month, according to a new incident report from AWS. The campaign, which ran from mid-January to mid-February, relied less on clever zero-days and more on the equivalent of trying every digital door handle – just ...
- Massive Winos 4.0 Campaigns Target Taiwan
February 20, 2026
FortiGuard Labs recently observed several targeted phishing campaigns in Taiwan that use themes designed to exploit local business processes. These campaigns disseminate Winos 4.0 (ValleyRat) and subsequent malicious plugins through weaponized attachments or embedded links. The lures mimic official communications, such as tax audit notifications, tax filing software installers, and cloud-based e-invoice downloads. Fortinet researchers analysis ...