GitHub Actions
Coverage of GitHub Actions in the Nexus archive.
- Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack
Miasma malware, part of the Mini Shai-Hulud, Miasma, and Hades family, has compromised new npm packages like LeoPlatform and RStreams while expanding to the Go ecosystem. The attack also involves malicious GitHub Actions workflow abuse.
- Lone attacker published 14 malicious npm packages mimicking popular OpenSearch, Elasticsearch libraries
A lone attacker published 14 malicious npm packages mimicking popular OpenSearch, Elasticsearch, and DevOps libraries, using typosquatting and metadata spoofing to steal cloud credentials and CI/CD secrets. Microsoft reported the attack, which involved a credential-harvesting payload and techniques like inflated version numbers to appear legitimate, with all packages later removed.
- GitHub Actions outage told devs 'your account is suspended'
GitHub Actions experienced a three-hour outage with incorrect 'account suspended' error messages, disrupting CI/CD workflows and causing developer stress. The issue stemmed from authentication problems, and GitHub's reliability challenges have prompted discussions about alternatives, though its user base and activity continue to grow.
- GitHub Actions down again today
GitHub Actions experienced downtime today, as reported on GitHub's official status page. The issue was also mentioned on Hacker News with 25 points but no comments.
- Incident with Actions and Pages
A GitHub incident affected Actions and Pages services, as reported on GitHub's status page and discussed on Hacker News with 25 points and 8 comments.
- Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows
A large-scale cyberattack called Megalodon has injected malicious commits into over 5,500 GitHub repositories using forged identities and automated CI/CD workflows. The campaign pushed thousands of malicious commits within a six-hour window, employing base64-encoded bash payloads designed to exfiltrate data from continuous integration environments.
- GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials
Threat actors have compromised the GitHub Actions workflow actions-cool/issues-helper to steal sensitive credentials. The attack redirects existing tags to an imposter commit, exfiltrating credentials to an attacker-controlled server. This is a software supply chain attack targeting GitHub users.
- TanStack weighs invitation-only pull requests after supply chain attack
The TanStack team is considering making pull requests invitation-only after a supply chain attack used malicious code from the Shai-Hulud worm. The attack poisoned a cache used across the entire repository and led to security measures being proposed. The team is weighing the benefits of increased security against potential deterrents to contributions.
- GitHub Actions issued GitHub_TOKEN disclosure in GitHub Actions logs
GitHub Actions has issued a GitHub_TOKEN disclosure in its logs, which may pose a security risk. The issue is being tracked through a security advisory on GitHub. Users can find more information and comments on the news.ycombinator website.
- Google's fix for critical Gemini CLI bug might break your CI/CD pipelines
Google has patched a critical CVSS 10.0 RCE vulnerability in the Gemini CLI tool, which could disrupt CI/CD pipelines for users relying on headless mode or GitHub Actions. The update is automatic for some, but users are urged to review workflows for potential breakages.
- GitHub Actions is the weakest link
The article critiques GitHub Actions for being a security vulnerability, highlighting risks from misconfigurations and inadequate access controls. It argues that reliance on GitHub Actions can expose organizations to breaches if not properly managed.
- GitHub Copilot code review will start consuming GitHub Actions minutes
GitHub Copilot code review will begin consuming GitHub Actions minutes starting June 1, 2026. This change affects how users track and manage their Actions minutes, particularly those utilizing Copilot for code reviews. The update was announced via the GitHub blog and has sparked discussion on Hacker News.
- OpenAI rotates macOS certs after Axios attack hit code-signing workflow
OpenAI is rotating macOS code-signing certificates following a supply chain attack that exploited a malicious Axios package via GitHub Actions. The incident highlights vulnerabilities in code-signing workflows and third-party dependencies.
- OpenAI Revokes macOS App Certificate After Malicious Axios Supply Chain Incident
OpenAI revoked a macOS app certificate after a GitHub Actions workflow was exploited to download a malicious Axios library on March 31. The company confirmed no user data or internal systems were compromised but took precautionary steps to secure its app certification process.
- Chainguard Unveils Factory 2.0 to Automate Hardening the Software Supply Chain
Chainguard has launched Factory 2.0, an updated platform designed to enhance software supply chain security through automated hardening. The platform focuses on continuous reconciliation of open source artifacts across containers, libraries, agent skills, and GitHub Actions.