Skills
GitHub Actions Cache Poisoning as Supply Chain Attack Vector: TanStack Postmortem Reveals fork→base Trust Boundary Is Exploitable via pull_request_target
The TanStack postmortem reveals a reusable three-step attack pattern against any repository using pull_request_target workflows: (1) fork the repo and rename to evade detection, (2) open a PR that triggers a pull_request_target workflow checking out attacker code, (3) poison the GitHub Actions cache (pnpm store) across the fork-to-base boundary. The attacker's code then executes in subsequent legitimate CI runs. Remediation: pin all action refs to full SHAs (not tags), never run pull_request_target workflows that checkout PR code, and treat the Actions cache as an untrusted input. npm's OIDC trusted-publisher has no per-publish review gate — any workflow code path can mint tokens.
Source
↳ Follow the thread