This research reviews an attack vector allowing the compromise of GitHub repositories, which not only has severe consequences in itself but could also potentially lead to high-level access to cloud environments.
This is made possible through the abuse of GitHub Actions artifacts generated as part of organizations’ CI/CD workflows. A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume. This allows malicious actors with access to these artifacts the potential of compromising the services to which these secrets grant access.
Read more…
Source: Palo Alto Unit 42
Related:
- Researcher claims Salt Typhoon spies attended Cisco training scheme
December 11, 2025
A security researcher specializing in tracking China threats claims two of Salt Typhoon’s members were former attendees of a training scheme run by Cisco. SentinelLabs’ Dakota Cary linked Yu Yang and Qiu Daibing, two alleged members of the Chinese state hacking group, to participants of the 2012 Cisco Networking Academy Cup. The initiative is still going ...
- CVE-2025-55182: React2Shell Analysis, Proof-of-Concept Chaos, and In-the-Wild Exploitation
December 10, 2025
Trend Micro researchers have previously published a blog on what organizations need to know about the actively exploited CVE-2025-55182, which is a critical (CVSS 10.0) pre-authentication remote code execution vulnerability affecting React Server Components (RSC) used in React.js, Next.js, and related frameworks. RSC is a modern architecture where UI components run on the server instead of ...
- Patch Tuesday – December 2025
December 10, 2025
Microsoft is publishing a relatively light 54 new vulnerabilities this December 2025 Patch Tuesday, which is significantly lower than we have come to expect over the past couple of years. Today’s list includes two publicly disclosed remote code vulnerabilities, and a single exploited-in-the-wild vulnerability. Three critical remote code execution (RCE) vulnerabilities are also patched today; Microsoft ...
- U.S. Justice Department Announces Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups
December 9, 2025
The Justice Department announced two indictments in the Central District of California charging Ukrainian national Victoria Eduardovna Dubranova, 33, also known as Vika, Tory, and SovaSonya, for her role in conducting cyberattacks and computer intrusions against critical infrastructure and other victims around the world, in support of Russia’s geopolitical interests. Dubranova was extradited to the ...
- Goodbye, dark Telegram: Blocks are pushing the underground out
December 9, 2025
Telegram has won over users worldwide, and cybercriminals are no exception. While the average user chooses a messaging app based on convenience, user experience and stability (and perhaps, cool stickers), cybercriminals evaluate platforms through a different lens. When it comes to anonymity, privacy and application independence – essential criteria for a shadow messaging app – ...
- National cybercrime network operating for 14 years dismantled in Indonesia
December 8, 2025
Security researchers have uncovered enormous cybercrime infrastructure in Indonesia that’s been operating unabated for more than 14 years. The length of the operation, the domains included, the malware circulated, and the data being sold on the black market, were all so big that the researchers – Malanta.ai – said the campaign resembles a nation-state campaign ...