{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/artipacked/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-40903"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-40903","github_token","credential-access","artipacked"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe goshs SimpleHTTPServer, written in Go, is susceptible to an ArtiPACKED vulnerability (CVE-2026-40903) in versions prior to 2.0.0-beta.6. This vulnerability can lead to the unintended leakage of the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e through workflow artifacts. Even if the token is not directly present in the repository\u0026rsquo;s source code, the ArtiPACKED issue allows for its exposure during workflow execution. This is a significant risk for projects using goshs in their CI/CD pipelines, as a compromised \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e can grant attackers unauthorized access to the repository and its associated resources. Organizations utilizing goshs should upgrade to version 2.0.0-beta.6 or later to mitigate this vulnerability. The vulnerability was reported and patched in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer introduces a vulnerable version of goshs (prior to 2.0.0-beta.6) into a project\u0026rsquo;s dependencies.\u003c/li\u003e\n\u003cli\u003eThe project utilizes GitHub Actions or a similar CI/CD system.\u003c/li\u003e\n\u003cli\u003eThe CI/CD workflow is configured to use or interact with the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the ArtiPACKED vulnerability, the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e becomes exposed within the workflow\u0026rsquo;s generated artifacts.\u003c/li\u003e\n\u003cli\u003eAn attacker gains access to these workflow artifacts, potentially through misconfigured permissions or compromised systems.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the leaked \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e from the artifacts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e to authenticate to the GitHub repository.\u003c/li\u003e\n\u003cli\u003eWith the compromised token, the attacker can perform actions such as code modification, secret retrieval, or infrastructure changes depending on the token\u0026rsquo;s permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40903 can lead to the leakage of sensitive \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e credentials, potentially granting unauthorized access to the affected GitHub repository. The impact of this vulnerability could include code tampering, unauthorized access to secrets, and potential compromise of associated infrastructure. The CVSS v3.1 score of 9.1 highlights the critical nature of this vulnerability. The number of affected organizations depends on the adoption rate of vulnerable goshs versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade goshs to version 2.0.0-beta.6 or later to remediate the ArtiPACKED vulnerability as detailed in CVE-2026-40903.\u003c/li\u003e\n\u003cli\u003eReview and restrict the permissions granted to the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e in GitHub Actions workflows to minimize potential impact if the token is compromised.\u003c/li\u003e\n\u003cli\u003eImplement artifact scanning tools to detect potential secrets leakage in CI/CD workflow artifacts.\u003c/li\u003e\n\u003cli\u003eMonitor GitHub audit logs for suspicious activity originating from the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e, particularly after the introduction or update of goshs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-goshs-github-token-leakage/","summary":"The goshs SimpleHTTPServer prior to version 2.0.0-beta.6 is vulnerable to ArtiPACKED, potentially leading to leakage of the GITHUB_TOKEN through workflow artifacts.","title":"goshs GitHub Token Leakage via ArtiPACKED Vulnerability (CVE-2026-40903)","url":"https://feed.craftedsignal.io/briefs/2026-04-goshs-github-token-leakage/"}],"language":"en","title":"CraftedSignal Threat Feed — Artipacked","version":"https://jsonfeed.org/version/1.1"}