Top 10 GitHub Actions Security Pitfalls: The Ultimate Guide to Bulletproof ...

- **Nx "s1ngularity" (August 2025):** Attackers compromised the popular Nx monorepo build system by publishing malicious npm packages via a GitHub Actions exploit, injecting credential-harvesting malware that stole SSH keys, .env** ** files, wallets, and API tokens. This attack affected over 2,000 repositories. … ### 6. Unpinned or Tag-Based Third-Party Actions This is one of the most prevalent and dangerous supply chain risks in GitHub Actions. Despite causing nightmare scenarios for tens of thousands of users this year, most developers still do not pin their actions properly. According to Wiz, only 3.9% of repositories pin 100% of their third-party Actions to an immutable commit SHA hash. … ### 7. Use of Vulnerable Third-Party Actions Third-party GitHub Actions are convenient accelerators but introduce significant supply chain risks. These actions execute with the same permissions as your workflow, granting them potential access to sensitive secrets, tokens, and repository data. Like the previous security flaw, it’s an attack vector for supply chain attacks. As seen in the 2025 tj-actions/changed-files incident (CVE-2025-30066), a compromised action leads to attackers injecting code to exfiltrate secrets, escalating privileges, or deploying malware directly into your pipeline. With recurring incidents during the past year, proactive governance is essential to mitigate these threats.