惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

H
Help Net Security
S
Secure Thoughts
I
Intezer
Project Zero
Project Zero
Stack Overflow Blog
Stack Overflow Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
F
Full Disclosure
P
Proofpoint News Feed
T
The Exploit Database - CXSecurity.com
人人都是产品经理
人人都是产品经理
博客园_首页
J
Java Code Geeks
Recorded Future
Recorded Future
K
Kaspersky official blog
GbyAI
GbyAI
S
Schneier on Security
The Cloudflare Blog
Spread Privacy
Spread Privacy
C
Cisco Blogs
The Hacker News
The Hacker News
博客园 - 三生石上(FineUI控件)
H
Hackread – Cybersecurity News, Data Breaches, AI and More
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
爱范儿
爱范儿
Microsoft Azure Blog
Microsoft Azure Blog
Know Your Adversary
Know Your Adversary
T
Tenable Blog
A
Arctic Wolf
Blog — PlanetScale
Blog — PlanetScale
H
Hacker News: Front Page
The Last Watchdog
The Last Watchdog
O
OpenAI News
Last Week in AI
Last Week in AI
B
Blog RSS Feed
T
Troy Hunt's Blog
G
GRAHAM CLULEY
N
Netflix TechBlog - Medium
Vercel News
Vercel News
量子位
The Register - Security
The Register - Security
Google Online Security Blog
Google Online Security Blog
Apple Machine Learning Research
Apple Machine Learning Research
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
C
CERT Recently Published Vulnerability Notes
Cisco Talos Blog
Cisco Talos Blog
U
Unit 42
Security Archives - TechRepublic
Security Archives - TechRepublic
C
Cyber Attacks, Cyber Crime and Cyber Security
N
News and Events Feed by Topic

Socket

White House Launches Gold Eagle Initiative to Manage Surge i... Suno Breached via Shai-Hulud Worm, Leaked Code Exposes AI Mu... Next.js moves to scheduled security releases - Socket 11 Malicious NuGet Tools Pose as Game Cheats to Drop a Windo... Compromised npm Packages in the AsyncAPI Namespace Deliver M... jscrambler npm Package Compromised in Supply Chain Attack - ... Fake Braintree NuGet Package Skims Credit Cards and Harvests... Compromised Injective SDK npm Package Exfiltrates Wallet Key... npm v12 Ships With Install Scripts Off by Default, Begins De... Malicious Go Module Exposes GitHub Malware Lure Network Span... pnpm 11.10 Hardens Registry Authentication to Block Token Re... Coordinated npm and PyPI Campaign Typosquats Popular Secure ... Node.js Considers Public Workflow for Security Reports Amid ... PolinRider: North Korea-Linked Supply Chain Campaign Expands... Risky Biz Podcast: AI Agents Are Raising the Stakes for Soft... Chrome and Firefox Extensions Posing as Free VPNs Add Clipbo... Miasma Mini Shai-Hulud Hits ImmobiliareLabs npm Packages - S... Rolldown Pulls Rust React Compiler Integration After Binary ... Miasma Mini Shai-Hulud Hits LeoPlatform npm Packages and Git... Frontier AI Is Now Critical Infrastructure - Socket The Code You Didn't Write Is Still Yours to Defend - Socket Introducing Repository Access Permissions and Custom Roles -... Socket MCP Adds Org Alerts, Threat Feed Review, and Package ... Socket Firewall Now Blocks Malicious VS Code and Open VSX Ex... 140+ Mastra npm Packages Compromised in Coordinated Supply C... npm Package Uses Prompt Injection and Token Flooding to Disr... Introducing Manifest Alerts - Socket GlassWASM: WebAssembly Malware Found in Trojanized Open VSX ... Socket for Linear Is Now Available - Socket US Government Forces Anthropic to Pull Claude Fable Days After Launch 152 Chrome Live Wallpaper Extensions Hid Ad Tracking and Faked Google Search Traffic Andrew Becherer Joins Socket as Chief Information Security Officer Socket Partners with Replit to Block Malicious Packages in AI-Powered Development npm Tooling Bug Incorrectly Marks One-Character Packages as Security Holders Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems RubyGems Adds Cooldown Feature to Bundler for Newly Published Gems pnpm 11.5 Adds Support for Recognizing npm Staged Publishes pnpm 11.5 Adds Support for Recognizing npm Staged Publishes Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Federal Audit Finds NIST Wasted Funds With No Plan to Clear NVD Backlog Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages Famous Chollima Targets PHP Developers Through Compromised Packagist Package Famous Chollima Targets PHP Developers Through Compromised Packagist Package Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Rust Moves to Restrict LLM Use in Contributions After Months of Internal Debate Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Malicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and Passwords Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security Feross on TBPN: Socket's Series C and the State of Software Supply Chain Security OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI OSV Withdraws 157 Malware Reports After Automated False Positives Hit npm and PyPI TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io TrapDoor Crypto Stealer Supply Chain Attack Hits 34 Packages and Hundreds of Versions Across npm, PyPI, and Crates.io Laravel Lang Compromised with RCE Backdoor Across 700+ Versions Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects AI Has Taken Over Open Source npm Invalidates Granular Access Tokens as Mini Shai-Hulud Sweeps the Registry Coruna Respawned: Compromised art-template npm Package Leads to iOS Browser Exploit Kit Socket raises $60M Series C at $1B valuation led by Thrive Capital to secure AI-driven software development Socket Raises $60M Series C at a $1B Valuation to Help Enterprises Build Securely With AI Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor Active Supply Chain Attack Compromises @antv Packages on npm Popular node-ipc npm Package Infected with Credential Stealer TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks Packagist Urges Immediate Composer Update After GitHub Actions Token Leak GemStuffer Campaign Abuses RubyGems as Exfiltration Channel Targeting UK Local Government Socket Named to Rising in Cyber 2026 List of Top Cybersecurity Startups TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack fsnotify Maintainer Dispute Sparks Supply Chain Concerns Socket Releases Free Certified Patches for Critical vm2 Sandbox Escape 5 Malicious NuGet Packages Impersonate Chinese UI Libraries to Distribute Crypto Wallet and Credential Stealer pnpm 11 Adds Supply Chain Protection Defaults for Minimum Release Age and Exotic Subdependencies PyPI Fixes High-Severity Access Control Issues Found in Security Audit Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI Mini Shai-Hulud Spreads to Packagist: Malicious Intercom PHP Package Follows npm Compromise Intercom’s npm Package Compromised in Ongoing Mini Shai-Hulud Worm Attack lightning PyPI Package Compromised in Supply Chain Attack Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables SAP CAP npm Packages Hit by Supply Chain Attack Socket Has Acquired Secure Annex 73 Open VSX Sleeper Extensions Linked to GlassWorm Show New Malware Activations Introducing Reachability for PHP Introducing Data Exports Malicious Checkmarx Artifacts Found in Official KICS Docker Repository and Code Extensions Introducing Organization Notifications in Socket Introducing Reports: An Extensible Reporting Framework for Socket Data Socket for Jira Is Now Available Socket Named Top Sales Organization by RepVue NIST Officially Stops Enriching Most CVEs as Vulnerability Volume Skyrockets Socket Selected for OpenAI's Cybersecurity Grant Program Feross on the 10 Minutes or Less Podcast: Nobody Reads the Code 108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure Node.js Drops Bug Bounty Rewards After Funding Dries Up The Hidden Blast Radius of the Axios Compromise
GitHub Actions Checkout Now Blocks Risky pull_request_target...
Sarah Gooding · 2026-06-20 · via Socket

Sidebar CTA Background

Secure your dependencies with us

Socket proactively blocks malicious open source packages in your code.

Install

GitHub has released actions/checkout v7 with a new default protection aimed at one of the most persistent GitHub Actions supply chain risks: privileged workflows that check out and execute code from untrusted pull requests.

The change makes actions/checkout refuse common “pwn request” patterns when workflows run under pull_request_target or certain workflow_run events. These workflows execute in the context of the base repository, giving them access to the base repo’s GITHUB_TOKEN, secrets, default-branch cache access, and runner environment. When they also check out code from an unreviewed pull request from a fork, attacker-controlled code can run with the workflow’s full privileges.

GitHub said the new behavior is available now in actions/checkout@v7 and will be backported to all currently supported major versions on July 16, 2026. Workflows pinned to floating major tags such as actions/checkout@v4 will receive the protection automatically. Workflows pinned to a specific SHA, minor, or patch version will need to upgrade through Dependabot or another update process.

GitHub Finally Blocks a Long-Known pull_request_target Risk#

The risk GitHub is addressing has been public for years. In 2021, GitHub Security Lab warned that combining pull_request_target with an explicit checkout of an untrusted pull request can allow malicious PR authors to steal repository secrets or gain write permissions to the target repository.

pull_request_target was designed for trusted automation around pull requests, such as labeling, commenting, or applying project metadata. It runs the workflow definition from the target repository so maintainers can safely automate actions that require elevated permissions. But the checkout step controls which code actually lands in the runner workspace. If it pulls code from a forked pull request, the workflow can end up running attacker-controlled code with the base repository’s privileges.

That distinction has repeatedly confused maintainers. The workflow file may come from a trusted branch, while the scripts, package manifests, tests, or build commands it executes may come from an attacker-controlled fork. Once that happens, ordinary CI steps can become the attacker’s entry point. A dependency install, build command, test script, or local helper script may be enough to run attacker-controlled code inside a privileged workflow.

GitHub had already started tightening this area before the checkout change. In November 2025, it announced changes to pull_request_target and environment branch protection behavior, citing workflows that continued to run vulnerable versions from non-default branches even after maintainers fixed the default branch. GitHub’s own security hardening guidance for Actions has also long warned maintainers to treat untrusted input and privileged workflow execution carefully.

Recent Supply Chain Attacks Exploited Privileged PR Workflows#

Recent supply chain incidents show how GitHub Actions misconfigurations can turn a pull request workflow into a path for package compromise.

In the Nx supply chain attack, the project’s advisory described how a vulnerable PR validation workflow was used to trigger a more privileged publishing workflow. The publish workflow had access to the npm token used to release Nx packages, and the attacker modified workflow behavior to send that token to a webhook.

During the second wave of Shai-Hulud, PostHog disclosed that the attack began with a pull request that modified a script executed by a workflow handling external contributions. The workflow had been changed to use pull_request_target so it could automatically assign reviewers for forked contributions. The attacker used that path to steal a bot personal access token, then used that access to steal additional GitHub secrets, including an npm publishing token.

The TanStack compromise later showed another variation, chaining a pull_request_target pwn request with GitHub Actions cache poisoning across the fork-to-base repository boundary and runtime extraction of an OIDC token from the GitHub Actions runner process. The attacker published 84 malicious versions across 42 @tanstack/* packages without stealing a long-lived npm token.

The vulnerable behavior was widely understood by researchers, documented in hardening guidance, and detectable by static analysis, but it still kept appearing in production workflows. In open source projects with active external contributions, pull_request_target is commonly used for pull request automation that needs elevated permissions, such as labeling, triage, or authenticated status checks. The danger comes when that same privileged workflow also checks out code from an untrusted pull request. In many vulnerable workflows, the risky part is a small checkout configuration change buried in otherwise routine CI logic.

GitHub Now Blocks Unsafe Fork Checkouts#

With actions/checkout v7, GitHub is blocking the most common unsafe form of this pattern by default. In pull_request_target workflows, and in workflow_run workflows where the original event was a pull request event, checkout will refuse to fetch fork pull request code when the pull request comes from a fork and the configuration resolves to the fork repository, the pull request head or merge ref, or the fork pull request head or merge commit SHA.

GitHub lists examples such as:

ref: refs/pull/${{ github.event.pull_request.number }}/merge

ref: ${{ github.event.pull_request.head.sha }}

repository: ${{ github.event.pull_request.head.repo.full_name }}

Those are exactly the kinds of inputs maintainers have used when they wanted a privileged workflow to inspect or test the changes proposed by an external contributor. Under the new default, those checkouts fail unless the workflow explicitly opts out.

GitHub is also adding an allow-unsafe-pr-checkout input for workflows that intentionally need this behavior. The name is deliberately blunt, which should make it easier to spot in code review and static analysis. For teams that choose to opt out, the flag should be treated as a security-sensitive exception, not a normal compatibility setting.

GitHub Tightens the Default#

After a year of large-scale npm compromises tied to abused GitHub Actions workflows, GitHub is finally closing one of the most obvious paths from untrusted pull request code to privileged CI execution.

The protection in this update only covers checkouts performed through actions/checkout. A workflow can still introduce the same class of vulnerability by using git, the GitHub CLI, a custom script, or another action to pull attacker-controlled code and execute it inside a privileged context. The protection also does not cover unrelated third-party repositories passed to repository:, and it does not block pwn request patterns introduced through other event types, such as issue_comment.

That makes this a guardrail, not a complete solution for Actions security. Workflows that run with secrets, write permissions, deployment permissions, or OIDC publishing access still need careful review. In particular, maintainers should examine any workflow that combines privileged triggers with package installation, build scripts, local actions, test commands, generated artifacts, or cache restore/save behavior.

TanStack also showed the limits of Trusted Publishing as a CI/CD defense. The attacker did not steal an npm token or compromise the publish workflow itself; malware running inside the release workflow minted an OIDC token from the runner and published directly to npm.

The checkout update follows GitHub’s earlier changes to pull_request_target behavior in late 2025, when it moved to ensure those events use the default branch for workflow source and reference.

For maintainers, the immediate step is to update actions/checkout where versions are pinned too narrowly to receive the July 16 backport. For security teams, the longer-term task is to look beyond checkout itself: privileged pull request workflows that fetch untrusted refs, restore shared caches, execute package lifecycle scripts, or run local code before trust has been established.