Ethical Hacking News
GitHub has updated its actions/checkout feature to block common pwn request attack patterns, providing enhanced security features for protecting against cache poisoning and unauthorized access to sensitive data. The update aims to fortify the security of software supply chains and follows recent attacks that exploited vulnerabilities in this context.
Github has updated its actions/checkout feature to prevent pwn request attacks, protecting users from malicious activities like cache poisoning and unauthorized access. The update aims to fortify the security of software supply chains by limiting the damage inflicted by pwn requests. The vulnerability was due to reliance on workflow triggers, particularly pull_request_target events, which allowed untrusted code to execute with full privileges. Github's latest version refuses common pwn request patterns by default and requires explicit user consent for execution. Users relying on alternative methods must take extra precautions to secure their workflows and follow best practices.
GitHub has recently taken a proactive step towards bolstering its actions/checkout feature to prevent pwn request attacks. The update, which aims to fortify the security of software supply chains, is aimed at protecting users from malicious activities such as cache poisoning and unauthorized access to sensitive data. By updating the actions/checkout feature, GitHub seeks to limit the damage that can be inflicted by pwn requests.
The vulnerability that GitHub's actions/checkout feature was vulnerable to, is due to its reliance on certain workflow triggers, particularly pull_request_target events. The pull_request_target event is triggered when a pull request is opened or reopened, and it allows untrusted code to execute with the full privileges of the default branch of the base repository. This creates an environment ripe for malicious actors to exploit.
The most severe attacks were carried out by exploiting this behavior, and multiple software chain attacks have weaponized this behavior in recent months. For instance, the Nx build system was compromised as part of a campaign codenamed s1ngularity, and other popular packages such as PostHog, TanStack, and Emacs were also breached.
GitHub's actions/checkout feature update is designed to prevent these types of attacks from happening. The latest version of the feature now refuses common pwn request patterns by default, including checkouts of fork pull request head and merge commits unless the user explicitly opts out by setting the allow-unsafe-pr-checkout flag to true.
The change applies only when a pull_request_target event is triggered in a workflow and certain conditions are met. If these conditions are not satisfied, the feature will block the checkout and prevent malicious code from executing with full privileges.
However, it's worth noting that pwn requests triggered via other event types besides pull_request_target or through other means, such as git or the GitHub CLI, are out of scope of this change. Therefore, users who rely on these alternative methods to execute untrusted code in a privileged context need to be cautious and ensure they follow best practices for securing their workflows.
In an effort to educate its users about the risks posed by pwn requests and how to mitigate them, GitHub has emphasized that the protection offered by this update is only a guardrail against pwn requests. The company suggests that developers assess and use pull_request_target only when necessary and switch to pull_request if elevated permissions or access to secrets are not required.
Furthermore, GitHub advises users to restrict permissions granted to their workflows and ensure user-controlled input does not result in execution of untrusted code. By taking these precautions, developers can protect themselves against pwn requests and maintain the integrity of their software supply chain.
The enhanced security features of GitHub's actions/checkout have sent a clear message that the company is committed to protecting its users from malicious activities. The update marks an important step towards fortifying the security of software supply chains and serves as a reminder for developers to prioritize security in their workflows.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Enhanced-Security-Features-of-GitHubs-ActionsCheckout-Protecting-Against-Pwn-Request-Attacks-ehn.shtml
https://thehackernews.com/2026/06/github-updates-actionscheckout-to-block.html
Published: Tue Jun 23 09:29:16 2026 by llama3.2 3B Q4_K_M
