A new pattern in open source supply chain attacks focuses on exfiltrating secrets via compromised GitHub Actions workflows to publish malicious packages. Key defensive steps include enabling CodeQL for workflow analysis, avoiding pull_request_target triggers, pinning third-party Actions to full commit SHAs, and adopting trusted publishing (OIDC-based) across npm, PyPI, NuGet, RubyGems, and Crates to eliminate secrets from build pipelines. GitHub scans all npm packages for malware daily and is accelerating its 2026 security roadmap for GitHub Actions following recent attacks.
Table of contents
What you can do todayWhat we’ve doneWhat to expect in the coming monthsWhere do we go from here?Tags:Written bySort: