HIGHSupply Chain
Verified
Global

GitHub Actions Supply Chain Attack Injects Malware Into CI/CD Pipelines

Monday, March 2, 2026 at 07:00 PM UTC·Source: GitHub Security Advisory

Updated: Tuesday, March 3, 2026 at 12:00 PM UTC

Executive Summary

Compromised GitHub Action used by 23,000+ repositories injects credential-stealing code into CI/CD pipelines. Broad exposure across enterprise repositories.

Analysis

A popular GitHub Action with 23,000+ repository users was compromised after the maintainer account was hijacked. The malicious version exfiltrates CI/CD secrets including cloud credentials, NPM tokens, and Docker registry passwords during pipeline execution. GitHub has revoked the compromised versions and is notifying affected organizations. The incident highlights ongoing risks in CI/CD supply chain security.

Timeline

Discovered
Mar 2, 2026
Published
Mar 2, 2026
Source Attribution

Originally published by GitHub Security Advisory on Mar 2, 2026. Verified by: GitHub, CISA.

Related Threats

MEDIUMSupply Chain

Mercor confirms security incident tied to LiteLLM supply chain attack

Although the LiteLLM attack was reportedly tied to a group called TeamPCP, the hacking gang Lapsus$ claimed on its website that it obtained hundreds of gigabytes of Mercor’s data.

The Record
MEDIUMSupply Chain

Threat Brief: Widespread Impact of the Axios Supply Chain Attack

Unit 42 discusses the supply chain attack targeting Axios. Learn about the full attack chain, from the dropper to forensic cleanup. The post Threat Brief: Widespread Impact of the Axios Supply Chain Attack appeared first on Unit 42 .

Unit 42 (Palo Alto)
LOWSupply Chain

Axios NPM Package Breached in North Korean Supply Chain Attack

A long-lived NPM access token was used to bypass the GitHub Actions OIDC-based CI/CD publishing workflow and push backdoored package versions. The post Axios NPM Package Breached in North Korean Supply Chain Attack appeared first on SecurityWeek .

SecurityWeek