Chainguard found a vulnerability in GitHub Actions that bypasses allowed Workflow settings by using commits from forked repositories. Read the report.
A compromised npm maintainer account published 631 malicious versions across 314 packages including size-sensor, echarts-for-react, timeago.js, and hundreds of @antv scoped packages, affecting 15M+ monthly downloads.
Practical resources for offensive CI/CD security research. Curated the best resources I've seen since 2021. - TupleType/awesome-cicd-attacks
Turning Almost Nothing into a Supply Chain Compromise of Angular with GitHub Actions Cache Poisoning - Security research by adnanthekhan
Contribute to npm-pub-2025/ci-publish development by creating an account on GitHub.
Insights and guidance from our engineering team on how Astral secures its tools.
Anne Robinson would like a word with .github/workflows
Learn how Datadog detected and resolved issues from hackerbot-claw, an AI-powered automated attack campaign.
Detect potential fork commits (imposter commits) in GitHub repositories. Identify supply chain attack vectors.
GitHub's plan to harden GitHub Actions and supply chain security, automating and scaling SAST and SCA vuln management, OSS tool that uses AI agents to reason about vulns across repos