GitHub Security Lab Details Rising Pattern of Actions-Based Supply Chain Attacks, Urges Trusted Publishing
GitHub Security Lab warns of a growing attack pattern where adversaries compromise GitHub Actions workflows to exfiltrate secrets and publish malicious packages, urging adoption of OIDC-based trusted publishing and CodeQL workflow reviews.
GitHub Security Lab has published a detailed analysis of a rising pattern in open-source supply chain attacks, where adversaries focus on compromising GitHub Actions workflows to exfiltrate secrets such as API keys)Skip. These stolen credentials are then used to publish malicious packages from attacker-controlled machines and gain access to additional projects to propagate the attack. The post, published on the GitHub Blog, outlines immediate steps developers can take to secure their workflows and highlights ongoing platform improvements.
The most critical recommendation is enabling CodeQL to review GitHub Actions workflow implementations, a free capability available on public repositories. CodeQL can inspect workflows for security best practices)Skip. Additionally, GitHub advises against triggering workflows on `pull_request_target`, pinning third-party Actions to full-length commit SHAs (with updates handled only by the repository owner or Dependabot), and being vigilant about script injection when referencing user-submitted content. When attacks occur, GitHub publishes information about compromised dependencies in its Advisory Database, and tools like Dependabot can notify users of malicious or vulnerable dependencies.
A key theme of the post is the shift away from using secrets in workflows. Instead, GitHub recommends using OpenID Connect (OIDC) tokens that contain the workload identity of the workflow to authorize activities. This capability, called trusted publishing, has been integrated with numerous systems including cloud providers, package repositories, and other hosted services. GitHub has partnered with the OpenSSF to support trusted publishing in package repositories, which is now supported across npm, PyPI, NuGet, RubyGems, Crates, and others. Trusted publishing not only removes secrets from build pipelines but also provides a valuable signal: when a newly published package stops using trusted publishing, the community can investigate whether the package came from an attacker using exfiltrated credentials.
npm, the world's largest package repository with over 30,000 packages published daily, scans every package version for malware. Hundreds of newly published packages contain malicious code each day, and each detection is reviewed by a human to confirm it's a true positive before action is taken. At this scale, even a 1% false-positive rate would disrupt hundreds of legitimate publishes daily. The post emphasizes that these detections are constantly updated and improved as attacks evolve.
The post also references the Shai-Hulud attacks in late 2025, which motivated a revamped security roadmap for npm. In response, GitHub accelerated the rollout of capabilities like npm trusted publishing, continued work on malware detection and removal, and engaged with open source maintainers on what npm security capabilities would have the biggest positive impact. Similarly, with the most recent round of attacks, GitHub is revisiting its security roadmap for GitHub Actions and accelerating actions security capabilities where work was already underway.
The post concludes by acknowledging that open source is a global public good and one of humanity's greatest collaborative projects. GitHub states it has not seen the end of attacks on open source but is committed to defending it across npm, Actions, or whatever comes next. The company invites feedback on what security capabilities are most impactful and how to manage the transition to a more secure future.