惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

V
Vulnerabilities – Threatpost
V
V2EX
GbyAI
GbyAI
Recent Announcements
Recent Announcements
Microsoft Security Blog
Microsoft Security Blog
阮一峰的网络日志
阮一峰的网络日志
Hugging Face - Blog
Hugging Face - Blog
T
Tailwind CSS Blog
Y
Y Combinator Blog
C
Check Point Blog
爱范儿
爱范儿
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
美团技术团队
雷峰网
雷峰网
IT之家
IT之家
WordPress大学
WordPress大学
V
Visual Studio Blog
Microsoft Azure Blog
Microsoft Azure Blog
MyScale Blog
MyScale Blog
N
News and Events Feed by Topic
罗磊的独立博客
S
SegmentFault 最新的问题
S
Security Affairs
aimingoo的专栏
aimingoo的专栏
F
Fortinet All Blogs
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
H
Hacker News: Front Page
Google DeepMind News
Google DeepMind News
B
Blog
O
OpenAI News
C
Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
The Last Watchdog
The Last Watchdog
Hacker News: Ask HN
Hacker News: Ask HN
博客园_首页
人人都是产品经理
人人都是产品经理
C
Cybersecurity and Infrastructure Security Agency CISA
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Help Net Security
Help Net Security
月光博客
月光博客
J
Java Code Geeks
L
LangChain Blog
博客园 - 司徒正美
Stack Overflow Blog
Stack Overflow Blog
Security Archives - TechRepublic
Security Archives - TechRepublic
Apple Machine Learning Research
Apple Machine Learning Research
T
The Exploit Database - CXSecurity.com
N
News and Events Feed by Topic
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More

Kaspersky official blog

Key vulnerabilities of Microsoft’s July 2026 Patch Tuesday Meta launched and almost instantly rolled back a feature that trained its AI image generator on Instagram user content. Combating AI-powered BEC attacks What’s wrong with Meta's NameTag feature and why you should be wary of it Targeted phishing attacks on manufacturing companies Why CAPTCHAs are about to vanish: how AI rewrote the "prove you're human" test The unpatchable backdoor in Yarbo robot mowers | Kaspersky official blog Managing the risks of LLM aggregators and AI API proxies Social engineering: how scammers manipulate their victims How today's threat actors break into companies How hackers use PowerShell scripts to steal Telegram accounts How Hola Browser was weaponized to spread a Monero miner World Cup 2026: watch out for these scams Building an autonomous SOC: core challenges and solutions The FROST attack: how SSD access delays expose users’ activity Taming shadow-AI on corporate devices Hentai games with a nasty twist XChat: what’s wrong with Elon Musk’s new messaging app? Turning off uninvited AI on corporate devices Security gateway for autonomous vehicles Is Wi-Fi safe in Mexico? The great messaging heist targeting your wallet Don’t let fake IPTV apps ruin your World Cup Attackers disguising phishing as Google AppSheet notifications Qualcomm vulnerability: phone repairs and car maintenance are no longer safe A lost art finds its way into phishing emails Is your TV box renting out your network? How to turn off unapproved AI tools across organization Subscription security: how to protect your account, your wallet… and your sanity 面向家庭和商业企业的卡巴斯基网络安全解决方案 | 卡巴斯基 LLM raiders and how to repel them What happens in the bedroom stays in the bedroom AirSnitch: attacking Wi-Fi client isolation and guest networks Fake ticket websites exploiting BTS world tour Is your security system secure? The most notable supply-chain attacks of 2025
250,000 misconfigurations in GitHub Actions
GReAT · 2026-06-26 · via Kaspersky official blog

A GReAT study has identified ~250,000 potential security issues in publicly accessible GitHub Actions.

250,000 misconfigurations in GitHub Actions

Stories about supply chain attacks appear in the news with alarming regularity. In most cases they begin when attackers compromise publicly available packages. This may give the impression that the main danger of public repositories lies in the fact that someone could steal a developer’s credentials and inject malicious code into the software they create. However, in reality, this isn’t the only thing to be wary of when working with repositories hosting open-source projects. Misconfigurations of key components can also be a source of problems.

In particular, GitHub Actions — automation scripts that enable the creation of continuous integration and continuous delivery (CI/CD) pipelines — can pose a risk. Errors and misconfigurations in these scripts are periodically exploited by attackers in real-world attacks. A prime example is the recent Mini Shai-Hulud malware campaign. While it also began with the compromise of a popular project’s maintainer, the malware distributed during this campaign stole secrets specifically by exploiting a flaw in GitHub Actions.

Using a new set of rules for Kaspersky Container Security, our experts from the Global Research and Analysis Team (GReAT) conducted a security analysis of GitHub Actions across ~30,000 popular GitHub repositories. In short, automation pipelines in only 10% of these repositories raised no concerns.

Detailed research results

In total, the rules implemented as part of the latest KCS release were used to scan ~130,000 pipelines. They identified more than 250,000 potential deviations from recommendations for secure CI/CD configuration. Of course, these deviations cannot be considered vulnerabilities in and of themselves, but they do indicate areas where the configuration may require additional review and more careful tuning.

Of these 250,000+ deviations, 59.8% can be classified as low risk, and 39.8% — medium risk. However, in 0.4% of cases, more serious misconfigurations were found, which our technologies classified as high risk. Furthermore, critical flaws found in eight repositories could potentially lead to supply chain compromise. The affected repositories covered a wide range of use cases — including AI integration in enterprise environments, services for developers and automation, and as well as security testing tools. Of course, our experts reported these critical issues to the maintainers of the relevant repositories.

Here are the most common flaws found in the GitHub Actions we reviewed:

  • implicitly defined or overly broad access permissions,
  • lack of version pinning for used dependances,
  • configuration settings applied at the workflow level.

In addition, more dangerous patterns were found: (i) exposure of secrets at the top level, (ii) potentially insecure run conditions, and (iii) insecure handling of external data. Fortunately, however, these were much less common.

How can you stay safe?

Misconfigurations in GitHub Actions can potentially turn development pipelines into tools for attackers, allowing them to compromise the development environment or attack a company’s infrastructure. Issues identified in a timely manner will enable developers to build more secure processes and minimize the risk of supply chain compromise.

Searching for misconfigurations in GitHub Actions.

Searching for misconfigurations in GitHub Actions.

The set of rules mentioned above, which was used in this study, is now available to Kaspersky Container Security users following the latest update. With this set of rules, our solution can detect misconfigurations in GitHub Actions both by scanning repositories and by being integrated directly into CI/CD pipelines. You can learn more about the KSC solution on its page.

Tips

Cracked in under a minute: (nearly) every other password

We’ve revisited our study on the crackability of real-world passwords leaked on the dark web — originally conducted two years ago. The findings are sobering: nearly every other password can be cracked in under a minute, and three out of five take less than an hour. How can we move away from insecure passwords?

Is your security system secure?

Protecting a security console is more critical than one might think. Here’s the lowdown on control-layer compromise, and how to keep it from happening.