1h ago · socket-dev
GitHub has released actions/checkout v7 to mitigate a long-standing supply chain risk in GitHub Actions where privileged workflows using pull_request_target could execute attacker-controlled code from untrusted pull requests. These workflows run with elevated permissions, including access to secrets and tokens, and previously allowed malicious actors to steal credentials or publish malicious packages. The update blocks unsafe checkouts by default, particularly those pulling code from forked pull requests in high-privilege contexts. This change addresses a known attack pattern exploited in recent incidents involving Nx, PostHog, and TanStack.