RSS

GitHub Actions Is a Trap

thcipriani1 pts0 comments

GitHub Actions is a trap - Tyler Cipriani

posts

The future of large files in Git is Git

Hackers are pwning packages at an exhausting clip, and GitHub Actions<br>features in every postmortem.

In late February, a hackerbot AI1 yoinked the release key<br>for a single project. Within a month, fifty-ish other projects had cred<br>stealers. Each infected repo swiped credentials for the next.

This spate of supply-chain hacks started from a GitHub Actions trap;<br>a simple, bad default with a five-year-old proposed fix.

GitHub Actions and consequences

Admiral Ackbar warning about the trap in<br>GitHub Actions

Trivy is an open-source security scanner. But if you used Trivy in<br>late March, you had a bad time.

On March 19th, hackers pushed a version of Trivy that tried to<br>smuggle secrets from anywhere it ran. Trivy cited a “misconfiguration”<br>in their continuous integration (CI) system, GitHub Actions.

But the exploit was less a misconfiguration and more a GitHub Actions<br>trap.

Here’s a simplified version of how Trivy got pwnd2:

# INSECURE. DO NOT USE.<br>on:<br>pull_request_target

jobs:<br>check:<br>steps:<br>- uses: action/checkout@deadbeefdeadbeefdeadbeefdeadbeefdeadbeef<br>with:<br>ref: refs/pull/${{ github.event.pull_request.number }}/merge<br>- uses: ./.github/actions/setup-go<br>- uses: some/go-static-analysis@c0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ff

At first glance, this code looks fine:

No secrets referenced.

Third-party actions pinned to an immutable hash.

Check out a pull request. Perform some static analysis.

But this code is a verbatim antipattern from a 2021 GitHub blog post<br>titled “preventing<br>pwn requests”:

if the pull_request_target workflow only […] runs<br>untrusted code but doesn’t reference any secrets, is it still<br>vulnerable?

Yes it is

– GitHub<br>Security Lab

The problem is pull_request_target:

pull_request_target – plunks a nice, juicy<br>GITHUB_TOKEN into the environment.

actions/checkout – takes an optional parameter<br>persist-credentials, which removes secrets if set to<br>false. But the default for the parameter is<br>true.

Setting the persist-credentials parameter to<br>false has been an open issue in GitHub Actions since<br>2021.

Your $HOME is a crime scene

Once hackers had Trivy’s keys, they published a new version of Trivy<br>to steal more keys.

LiteLLM used Trivy in their CI. The same CI they used to publish code<br>to PyPI, the Python software registry. When LiteLLM’s CI ran the<br>compromised Trivy, hackers nabbed their publishing key.

And on March 24th, when Callum McMahon fired up his IDE, his MacBook<br>froze. And that’s how he discovered the<br>LiteLLM hijack.

McMahon’s MacBook was flailing at bad code that hackers snuck into<br>LiteLLM. And the bad code trying to steal credentials:

~/.netrc

~/.aws/credentials

~/.config/gcloud

~/.config/gh

~/.azure

~/.docker/config.json

~/.npmrc

~/.git-credentials

~/.kube/

Files that are typically strewn around $HOME<br>directories, full of tokens and keys, often unencrypted.

AI and the supply chain doom spiral

We’ve dealt with problems like unencrypted credentials, unpinned<br>dependencies, and CI footguns forever.

But AI has accelerated everything, including repeating<br>security mistakes.

On the day of the Trivy compromise, I asked Claude, “how do I scan<br>docker registry images for security vulnerabilities?”

The reply, in part:

CI/CD Integration Example (GitHub Actions with Trivy)

- name: Scan image for vulnerabilities<br>uses: aquasecurity/trivy-action@master<br>Broken in two ways:

Unpinned references – master is a reference that<br>changes all the time. If hackers zombify the repo, I’d be the first<br>victim.

Active vulnerability – No mention whatsoever of the CVE posted<br>that day. I never asked, so Claude never checked.

Meanwhile, Vercel’s CEO has attributed his company’s recent data<br>breach to a hacker that was “accelerated<br>by AI.” And Anthropic’s latest hype tour includes briefing<br>the US Federal Reserve Chair about vulnerabilities unearthed by<br>their frontier model.

Bad guys with LLMs get superpowers. Good guys with LLMs fall prey to<br>mid-2010’s CI problems.

And the same tool that can root out 27-year-old<br>security problems in OpenBSD, will still tell you to pin your GitHub<br>actions to @master.

Or somone calling themselves<br>hackerbot-claw, at any rate.↩︎

My GitHub Actions example is a<br>simpler verison of the action removed in aquasecurity/trivy<br>#10259.↩︎

Add a comment (Comment Policy)

Copyright © 2026 Tyler Cipriani

Last edited Fri 2026-05-22 11:58:08 PM<br>Created Fri 2026-04-24 08:54:04 PM

github actions trivy credentials hackers code

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times

PopuLoRA: Co-Evolving LLM Populations for Reasoning Self- Play

AMavorParker8 ptstasks model training self populora play
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.