Tens of thousands of public GitHub repositories are vulnerable to malicious code injection via self-hosted GitHub Actions runners, which could lead to high-impact supply chain attacks, security researchers warn. A self-hosted runner attached to a repository can be used by any workflow running in that repository’s context. According to the researcher, an attacker who discovers a repository of interest, can then check whether it has a self-hosted runner attached and use a fork pull request to become a contributor to that repository, which would then allow them to run workflows on the runner without requiring approval.

Read more: https://www.securityweek.com/major-it-crypto-firms-exposed-to-supply-chain-compromise-via-new-class-of-ci-cd-attack/