38% of GitHub Actions Workflows Exposed to Script Injection Risks

The report warns that insecure GitHub Actions configurations — unsafe triggers like pull_request_target, unpinned action versions, and exposed credentials — are widespread (38% of workflows exposed; two-thirds of organizations affected) and are being actively exploited by campaigns (s1ngularity, hackerbot-claw, TeamPCP) to achieve remote code execution, credential theft, and supply-chain compromise; it outlines GitHub's planned mitigations (pinned commits, centralized policies, scoped secrets, egress controls) and urges organizations to treat workflows as part of the attack surface and harden them.