This research reviews an attack vector allowing the compromise of GitHub repositories, which not only has severe consequences in itself but could also potentially lead to high-level access to cloud environments.
This is made possible through the abuse of GitHub Actions artifacts generated as part of organizations’ CI/CD workflows. A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume. This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access.
Read more…
Source: Palo Alto Unit 42
Related:
- Polish authorities arrest 20-year-old man on suspicion of carrying out DDoS attacks
February 3, 2026
Polish authorities have cuffed a 20-year-old man on suspicion of carrying out DDoS attacks. The Central Bureau for Combating Cybercrime (CBZC) claims the unnamed individual was responsible for attacks on “numerous popular websites,” including those of strategic importance. Given the context, it can be reasonably assumed that strategically important websites likely refers to those providing essential ...
- New malware targets macOS devices via OpenVSX extensions
February 3, 2026
GlassWorm, the malware campaign which targeted VS Code developers on Microsoft’s official Visual Studio Code marketplace, has now expanded to open source alternatives, experts have claimed. Recently, security researchers Socket said they discovered four extensions in Open VSX, an open, vendor-neutral marketplace for editor extensions (mainly used by developers who work with VS Code-compatible editors). These ...
- Northern Ireland: PSNI officers affected by data breach to receive £7,500
February 3, 2026
Almost 10,000 police officers and staff affected by a huge data breach in Northern Ireland are to get a payment of at least £7,500 each. The details of all the PSNI’s serving officers and civilian staff were inadvertently published as part of a response to a Freedom of Information (FOI) request in August 2023. The database ...
- Russian ransomware hackers allegedly hit Tulsa airport in cyberattack, dump private files online as proof
February 2, 2026
Russian ransomware operators Qilin have claimed to have broken into the Tulsa International Airport and stolen an unspecified amount of sensitive company data. A report from Cybernews says the group recently added the airport to their data leak site, and included 18 samples as proof of their claims. The researchers analyzed the samples, finding it included ...
- The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit
February 2, 2026
Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom. Active since 2009, the group is known for its targeted espionage campaigns primarily impacting organizations across Southeast Asia and more recently Central America, focusing on government, telecom, aviation, critical infrastructure, and media sectors. Rapid7 investigation ...
- Russia-linked APT28 attackers already abusing new Microsoft Office zero-day
February 2, 2026
Russia-linked attackers are already exploiting Microsoft’s latest Office zero-day, with Ukraine’s national cyber defense team warning that the same bug is being used to target government agencies inside the country and organizations across the EU. In an alert published on Sunday, CERT-UA says the activity is being driven by UAC-0001, better known as “APT28” or “Fancy ...