The (In)security Landscape of AI-Powered GitHub Actions (Part 2/2)

This research maps the expanded threat surface introduced by AI-powered GitHub Actions, demonstrating access-control bypasses (bot/App name and Dependabot confused-deputy attacks), prompt-injection risks, and new secret-exfiltration vectors where dynamically created local credential files (GCP JSON, AWS credentials, Azure, Docker, SSH keys) can be read and leaked — including via verbose AI-action logs. The authors document code-level examples, evidence of vulnerable configurations across popular repositories, disclosure outcomes with vendors, and provide concrete recommendations for workflow authors, action authors, and customers to harden CI/CD and AI-action deployments.