A threat actor exploited a 'Pwn Request' vulnerability in the kubernetes-el Emacs package's GitHub Actions CI workflow on March 5, 2026. By opening a pull request that triggered a `pull_request_target` workflow configured to check out the attacker's fork code, the attacker gained arbitrary code execution with full write permissions. They used memory dump tools to exfiltrate the GITHUB_TOKEN and all CI secrets, then pushed four malicious commits directly to master: defacing the README, replacing the main package file with a destructive `rm -rf /` command, and deleting most repository files. The package was removed from MELPA and blocked on Emacsmirror. The post details the step-by-step exploit, the full attack timeline, and provides concrete mitigations including avoiding untrusted code checkout in `pull_request_target` workflows, restricting GITHUB_TOKEN permissions, and monitoring network egress from CI runners.
Table of contents
What HappenedThe Vulnerable WorkflowThe Exploit: Step by StepThe Aftermath: Repository Defaced and DestroyedAttack TimelineHow to Protect Your WorkflowsIndicators of CompromiseAcknowledgementsSort: