gha-security-review

This file is a descriptive incident/reference report — not malicious software — that documents real GitHub Actions exploitation techniques and provides explicit examples of malicious payloads and attacker infrastructure. It contains concrete, actionable attack patterns (curl|bash, branch/filename injection, forked action modification, Go init() misuse, comment-trigger abuse) and references to a repeated attacker domain. The document itself poses no direct code-execution risk, but because it contains working payload patterns and domains, it is sensitive: copying these patterns into live workflows without mitigation would enable compromise. Reviewers should treat the described patterns as high-risk and harden workflows accordingly.

This document is a clear and accurate description of an AI prompt-injection supply-chain attack against GitHub Actions workflows that run AI agents on forked PR code. The examples show high-risk misconfigurations: using pull_request_target while checking out fork branches, granting write permissions, allowing all users, and reading project-level instruction files from untrusted forks. The PoC Makefile also demonstrates direct secret exfiltration via curl. The content itself is not a malicious package but a security advisory with explicit malicious examples; however, repositories that match the vulnerable patterns described are at high risk of unauthorized commits, fake approvals, and secret leakage. Apply the recommended mitigations (use pull_request, restrict permissions, protect instruction files with CODEOWNERS, restrict agent tools, and require human review for config changes).

This document describes a high‑risk GitHub Actions supply‑chain attack ('pwn request') and demonstrates concrete payloads that exfiltrate GITHUB_TOKEN and execute arbitrary commands when workflows incorrectly check out and run forked PR code under pull_request_target. The examples explicitly show exfiltration via curl/wget and lifecycle hooks (Go init(), npm preinstall, Python setup.py, local actions). If you find workflows that: (a) use on: pull_request_target, (b) perform actions/checkout of the PR head (or use uses: ./ local actions), and (c) execute build/test commands (npm install, go run, make, etc.), treat them as critically vulnerable and remediate by splitting workflows, removing checkout of fork code in pull_request_target, or restricting permissions. The document is an explanatory security advisory and the embedded payloads are intentionally malicious examples to demonstrate the vulnerability.