This research reviews an attack vector allowing the compromise of GitHub repositories, which not only has severe consequences in itself but could also potentially lead to high-level access to cloud environments.
This is made possible through the abuse of GitHub Actions artifacts generated as part of organizations’ CI/CD workflows. A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume. This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access.
Read more…
Source: Palo Alto Unit 42
Related:
- Chinese hack exposes data of 5,000 Italian counterterrorism officers
February 18, 2026
Personal data of roughly 5,000 Italian Digos officers — including names, roles and postings — was reportedly obtained by hackers linked to China after a cyber intrusion into the Interior Ministry’s network between 2024 and 2025. The breach potentially exposes officers involved in counterterrorism and monitoring Chinese dissidents, raising serious national security concerns and complicating Italy’s ...
- Data breach at fintech giant Figure affects close to a million customers
February 18, 2026
The data breach that hit blockchain-based lending giant Figure affected nearly a million customers, according to a security researcher. Last week, Figure confirmed a data breach allowed hackers to steal “a limited number of files” from its systems. The company did not provide specifics on what kind of data was stolen nor say how many customers ...
- CVE-2026-2329: Critical Unauthenticated Stack Buffer Overflow in Grandstream GXP1600 VoIP Phones (FIXED)
February 18, 2026
Rapid7 Labs conducted a zero-day research project against the Grandstream GXP1600 series of Voice over Internet Protocol (VoIP) phones. This research resulted in the discovery of a critical unauthenticated stack-based buffer overflow vulnerability, CVE-2026-2329. A remote attacker can leverage CVE-2026-2329 to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. A vendor ...
- Divide and conquer: how the new Keenadu backdoor exposed links between major Android botnets
February 17, 2026
In April 2025, Kaspersky reported on a then-new iteration of the Triada backdoor that had compromised the firmware of counterfeit Android devices sold across major marketplaces. The malware was deployed to the system partitions and hooked into Zygote – the parent process for all Android apps – to infect any app on the device. This allowed ...
- China remains embedded in US energy networks ‘for the purpose of taking it down’
February 17, 2026
Three new threat groups began targeting critical infrastructure last year, while a well-known Beijing-backed crew – Volt Typhoon – continued to compromise cellular gateways and routers, and then break into US electric, oil, and gas companies in 2025, according to Dragos’ annual threat report published on Tuesday. Dragos specializes in operational technology (OT) security, and as ...
- OpenClaw AI agents targeted by infostealer malware for the first time
February 17, 2026
Thanks to its overnight success and widespread adoption, OpenClaw has painted a large target on its back and is now being attacked by infostealers, after security researchers Hudson Rock claimed to have seen a first-of-its-kind attack in the wild. OpenClaw (previously known as Clawdbot and Moltbot) is an open source AI assistant software designed to actually ...