Securing the open source supply chain across GitHub

GitHub describes a rising pattern of supply-chain attacks where adversaries compromise GitHub Actions workflows to steal secrets and publish malicious packages; the advisory outlines current mitigations (enable CodeQL, use OpenID Connect/trusted publishing, Dependabot, and npm malware scanning), recounts prior incidents like Shai-Hulud, and previews accelerated security roadmap changes for npm and GitHub Actions.