GitHub Actions Cache Poisoning is eating open source

GitHub Actions cache poisoning is a structural vulnerability that has compromised major open-source projects including Angular, tj-actions, Cline, and TanStack over the past two years. The attack works by exploiting the shared cache pool across all workflows in a repo — a less-trusted PR workflow can write a poisoned dependency directory under the same cache key that a privileged release workflow will later restore, giving attackers code execution inside a workflow with publish secrets. Two main entry points are pull_request_target workflows that check out PR code, and AI agent workflows vulnerable to prompt injection. The post provides six concrete audits to run immediately (grep commands included) and ten prioritized mitigations: replacing pull_request_target with pull_request, disabling caching in release workflows, pinning all third-party actions to commit SHAs, sanitizing untrusted input, adding zizmor as a required PR check, locking .github/ with CODEOWNERS, using OIDC trusted publishing, enforcing non-SMS 2FA, setting package install cooldowns (e.g., pnpm minimumReleaseAge), and treating AI agent config files as executable code. A dead-man's switch in the TanStack payload that runs rm -rf ~/ on token revocation is also documented, with safe remediation steps.