JFrog's AI-powered security research bot, RepoHunter, proactively identified 13 critical CI/CD vulnerabilities across major open-source projects including Ansible, QGIS, Telepresence, and TC39 JavaScript proposals. The vulnerabilities stem from 'Pwn Request' patterns where GitHub Actions workflows using pull_request_target triggers execute untrusted contributor code in privileged contexts, exposing secrets and enabling supply chain attacks. RepoHunter detected these before attackers could exploit them, preventing a potential Shai-Hulud-style supply chain worm. The post details the four-phase attack chain (Exposure, Execution, Harvesting, Propagation), explains why pull_request_target is particularly dangerous, and covers 13 responsibly disclosed vulnerabilities spanning 10 Critical, 2 High, and 1 Medium severity findings. JFrog also promotes its Advanced Security product for detecting such workflow misconfigurations.
Table of contents
Why CI/CD is the New TargetWhat Is a “Pwn Request” / GitHub Actions CI Takeover?RepoHunter: Hunting CI Takeovers Before They ScaleFour Phases of a CI Supply Chain AttackRepoHunter CI\CD Takeover SummaryHypothetical Example: A Shai-Hulud-Style CI WormVulnerability Deep Dive: Ansible PlatformConclusion – Securing CI as Critical InfrastructureSort: