Tenable researchers disclosed a critical vulnerability (CVSSv4 9.3) in Microsoft's Windows Driver Samples GitHub repository that allowed any registered GitHub user to trigger remote code execution via a malicious GitHub issue. By injecting Python code into an issue description, attackers could exfiltrate the GITHUB_TOKEN and other secrets, enabling unauthorized repository operations and potential supply chain attacks. Microsoft has patched the flaw via a pull request. The disclosure highlights the growing threat to CI/CD pipelines, with OWASP and IANS Research also warning about escalating supply chain attacks — including a recent compromise of Aqua Security's Trivy scanner. Tenable recommends auditing workflows for injection vulnerabilities, restricting GITHUB_TOKEN permissions, and treating CI/CD infrastructure as a critical part of the attack surface.
Table of contents
‘Trivial’ ExploitationRising CI/CD ThreatsExpanding the Attack SurfaceTrivy Attack a Recent ExampleSort: