cyber security researchers Kaspersky detected more than 250,000 potential security misconfigurations in GitHub Actions workflows across thousands of popular open source projects. The findings highlight how easily automated development pipelines can become entry points for attackers targeting the software supply chain. Kaspersky‘s Global Research and Analysis Team (GReAT) examined the workflows of nearly 30,000 of the platform’s most starred repositories.
Their scans covered more than 130,000 individual lines using new detection rules added to the company’s Container. Security solution.
Only 10 percent of warehouses analyzed triggered no alerts.
Problems were separated according to their level of importance. About 60 percent fell into the low-risk category, about 40 percent were rated as medium risk, and only 0.4 percent qualified as high risk. Overall, the researchers flagged 200 data stores as high risk.
Eight of these contained critical misconfigurations that could compromise the entire supply chain.
The affected projects covered a variety of areas, including: artificial intelligence tools for businesses, developer services, automation platforms and security testing utilities.
The company has already notified the maintainers of these warehouses.
The most common problems were granting overly broad or implicit permissions and failure to detect specific versions of actions or dependencies.
Less frequent but more dangerous patterns included revealing secrets at the top level of workflow files, using unsafe conditions to trigger runs, and insecure processing of data from external sources.
These vulnerabilities are important because GitHub Actions have become a fundamental part of modern applications. software development.
When configured incorrectly, the same automation that speeds code creation and deployment can provide attackers with a direct path to trusted environments.
Attackers can inject malicious code into versions, steal credentials, or damage subprojects connected to affected repositories.
The research comes shortly after the Mini Shai-Hulud campaign in May 2026, in which attackers exploited similar weaknesses in GitHub Actions pipelines.
This incident led to the compromise of more than 170 packages across npm and PyPI, affecting well-known projects such as TanStack, Mistral AI, and OpenSearch.
Leonid Bezvershenkosenior security Kaspersky GReAT researcher observed that many recent supply chain incidents could have been prevented by better adherence to secure CI/CD configuration practices.
He noted that the problems detected do not automatically mean that a warehouse is currently compromised. Instead, they flag areas where developers need to review and harden their setup.
He added that identifying these gaps early helps organizations create more resilient pipelines and reduces the chances of success. attacks.
Experts recommend a few simple steps: Clearly define the minimum permissions required for each workflow, always pin or hash actions and dependencies to specific versions, avoid revealing secrets unnecessarily, and carefully verify all external inputs.
Organizations can also benefit from automatic scanning tools Checking repositories or working within pipelines to catch issues before code reaches production.
Like open source Components continue to form the basis of much of today’s software; It has become important to ensure the security of the automation layers that create and distribute them. Kaspersky research findings It serves as a stark reminder that even widely used platforms require constant attention to configuration hygiene to keep the broader software ecosystem safe.
