GitHub generally suggests projects that use Actions should pin them to specific commit hashes instead of version tags if they want to avoid similar supply chain attacks in the future.

The multi-step supply chain attack eventually exposed secrets in 218 repositories, while the latest findings showed that the threat actors were initially attempting to breach projects belonging to ...

Cybersecurity researchers found risks in the GitHub Actions platform that could enable attackers to inject malicious code into software projects and initiate a supply chain attack. Topics ...

A sophisticated cascading supply chain attack has compromised multiple GitHub Actions, exposing critical CI/CD secrets across tens of thousands of repositories. The attack, which originally ...

GitHub supply chain attack GitHub Action' tj-actions/changed-files' was compromised by attackers who added a malicious commit on March 14, 2025, to dump CI/CD secrets from the Runner Worker ...

A recent supply chain attack that compromised the popular tj-actions/changed-files GitHub action has left a trail of digital destruction, affecting 218 GitHub repositories. As investigators dig deeper ...

The backers of the Open Software Supply Chain Attack Reference (OSC&R) framework for supply chain security has gone live on Github, enabling anybody to contribute to the model. The MITRE ATT&CK ...

GitHub is set to require two-factor authentication for all developers who contribute code to any project on the platform, a move designed to bolster the software supply chain.The Microsoft-owned ...

PyPI halted new users and projects while it fended off supply-chain attack Automation is making attacks on open source code repositories harder to fight. Dan Goodin – Mar 28, 2024 2:50 pm | 70 ...