GitHub - zizmorcore/zizmor: Static analysis for GitHub Actions

How to identify unpinned and unpinnable GitHub actions across your organisation

Python Package Index shares insights and provides guidance following LiteLLM/Telnyx supply-chain attacks

/static/assets/img/blog/grafana-security-fix.png

You may have seen the recent reports of a malware that stole API keys, tokens and other secrets from a large number of developers. From where were these secrets stolen from? You guessed it, they were…

In March there was a particularly nasty supply chain attack targeting Aqua Security and their tools, including the widely used Trivy security scanner, which later spread to other projects. The attack was carried out by a threat actor named TeamPCP and began by exploiting an insecure GitHub Actions workflow that utilised the pull_request_target trigger – a type known to be dangerous and easily misused. Using this, they stole a Personal Access Token granting wider access to the aquasecurity org.

GitHub Actions misconfigurations have been behind some of the biggest supply chain attacks of 2025 and 2026. Here's what went wrong and how to prevent them from happening to your org.

Install zizmor with Anaconda.org. Static analysis for GitHub Actions

Insights and guidance from our engineering team on how Astral secures its tools.

🗹 Source the Best Ingredients: Evaluate before using / Trust the source: Prefer actions from trusted organisations (or GitHub org itself) 🗹 Measure precisely: Limit permissions and access to the…