{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/credential-leakage/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-40313"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["credential-leakage","supply-chain","github-actions","cve-2026-40313"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent teams system, faces a critical vulnerability (CVE-2026-40313) in versions 4.5.139 and below. The vulnerability stems from the ArtiPACKED attack vector within GitHub Actions workflows. Specifically, the use of actions/checkout without setting \u003ccode\u003epersist-credentials: false\u003c/code\u003e causes the GITHUB_TOKEN to be written to the \u003ccode\u003e.git/config\u003c/code\u003e file. When subsequent workflow steps upload artifacts (build outputs, logs, test results, etc.), these tokens can be inadvertently included. Given that PraisonAI is a public repository, any user with read access can download these artifacts and extract the leaked tokens. Successful exploitation allows attackers to push malicious code, poison releases and PyPI/Docker packages, steal repository secrets, and ultimately compromise the entire supply chain, affecting all downstream users. The issue is present across multiple workflow and action files within the \u003ccode\u003e.github/workflows/\u003c/code\u003e and \u003ccode\u003e.github/actions/\u003c/code\u003e directories. Version 4.5.140 addresses and resolves this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains read access to the public PraisonAI GitHub repository.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a GitHub Actions workflow that uploads artifacts.\u003c/li\u003e\n\u003cli\u003eThe workflow uses \u003ccode\u003eactions/checkout\u003c/code\u003e without \u003ccode\u003epersist-credentials: false\u003c/code\u003e, causing the GITHUB_TOKEN to be written to \u003ccode\u003e.git/config\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe workflow uploads an artifact (e.g., build output, logs, test results) that includes the \u003ccode\u003e.git/config\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eAttacker downloads the artifact.\u003c/li\u003e\n\u003cli\u003eAttacker extracts the GITHUB_TOKEN from the \u003ccode\u003e.git/config\u003c/code\u003e file within the artifact.\u003c/li\u003e\n\u003cli\u003eAttacker uses the leaked GITHUB_TOKEN to authenticate to the PraisonAI repository.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the compromised GITHUB_TOKEN to inject malicious code, poison releases/packages, steal secrets, or perform other malicious activities, leading to a supply chain compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40313 in PraisonAI versions 4.5.139 and below can result in a severe supply chain compromise. Attackers can inject malicious code into the PraisonAI repository, poison releases and associated packages (PyPI, Docker), and steal sensitive repository secrets. This can lead to widespread distribution of malware to downstream users of PraisonAI, compromising their systems and data. The vulnerability affects any user relying on PraisonAI and its distributed components.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PraisonAI to version 4.5.140 or later to patch CVE-2026-40313.\u003c/li\u003e\n\u003cli\u003eAudit all GitHub Actions workflows in your organization to ensure that \u003ccode\u003eactions/checkout\u003c/code\u003e is used with \u003ccode\u003epersist-credentials: false\u003c/code\u003e to prevent credential leakage.\u003c/li\u003e\n\u003cli\u003eMonitor public repositories for inadvertently exposed configuration files containing credentials, and rotate potentially compromised tokens immediately.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect GitHub Workflow Artifact Containing Git Config\u0026rdquo; to identify leaked git configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T04:17:13Z","date_published":"2026-04-14T04:17:13Z","id":"/briefs/2026-04-praisonai-artifact-leakage/","summary":"PraisonAI versions 4.5.139 and below are vulnerable to credential leakage due to the ArtiPACKED attack, where GitHub Actions workflows using actions/checkout without persist-credentials: false write the GITHUB_TOKEN into the .git/config file, leading to potential exposure in uploaded artifacts and subsequent supply chain compromise.","title":"PraisonAI GitHub Actions Credential Leakage Vulnerability (CVE-2026-40313)","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-artifact-leakage/"}],"language":"en","title":"CraftedSignal Threat Feed — Credential-Leakage","version":"https://jsonfeed.org/version/1.1"}