GitHub Actions supply chain attack: what IAM teams missed

TL;DR: A compromised GitHub Action modified version tags, executed malicious code, and exposed CI/CD secrets across more than 23,000 repositories, according to Unosecur. Mutable workflow dependencies and plaintext log exposure turn pipeline identity into a high-blast-radius control problem rather than a tooling issue.

NHIMG editorial — based on content published by Unosecur: GitHub Action supply chain attack exposes critical identity security gaps

Questions worth separating out

Q: How should security teams prevent GitHub Actions from becoming a supply chain entry point?

A: Security teams should pin actions to immutable commit SHAs, restrict workflow permissions, and remove reusable secrets from runners wherever possible.

Q: Why do CI/CD secrets create such a large blast radius when a workflow is compromised?

A: CI/CD secrets often unlock cloud accounts, repository administration, and package publishing from a single execution context.

Q: What do teams get wrong about using OIDC in GitHub Actions?

A: Teams sometimes treat OIDC as a complete fix when it is really a credential-lifecycle improvement.

Practitioner guidance

• Pin workflow dependencies to immutable commits Replace mutable version tags in GitHub Actions with pinned commit SHAs so the executed code cannot change after review.
• Reduce runner privilege to the task minimum Separate build, test, and release workflows so each runner receives only the repository scopes and cloud rights it actually needs.
• Replace long-lived cloud secrets with OIDC Use short-lived federation tokens for cloud access and remove static AWS keys, GitHub PATs, and similar reusable credentials from workflow storage.

What's in the full article

Unosecur's full blog covers the operational detail this post intentionally leaves for the source:

• Line-by-line MITRE ATT&CK mapping of the tj-actions compromise from tag rewrite to log exposure
• Specific remediation steps for GitHub Actions runners, including token scope review and workflow hardening
• Examples of how the malicious script accessed memory, secrets, and encoded output in build logs
• Practical guidance on replacing mutable action references with pinned commit hashes across repositories

👉 Read Unosecur's analysis of the GitHub Actions supply chain attack →

GitHub Actions supply chain attack: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →  |  Our Services →