Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows

Security Tool/Service
First reported
Last updated
Happening score
H score 11
1 unique sources, 1 articles

Summary

Hide ▲

GitHub's actions/checkout now refuses common pwn request patterns by default, cutting the risk of attacker-controlled code execution in privileged GitHub Actions workflows. The guardrail applies to forked pull requests in pull_request_target and related workflow_run paths that can expose secrets and GITHUB_TOKEN access. The change began on June 18, 2026 and will be backported to supported major versions on July 16, 2026.

Related Happenings

Npm v12 default-blocks install scripts, Git dependencies, and remote URLs

Security Tool/Service
H score11 First: 12.06.2026 16:00 Last: 12.06.2026 16:00 Sources 1

About this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...

Open Happening

Miasma supply-chain malware activity

Malware Activity
H score34 First: 10.06.2026 23:27 Last: 10.06.2026 23:27 Sources 1

About this happening: The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...

Open Happening

GitHub npm v12 hardens install-time dependency execution and source resolution

Security Tool/Service
H score11 First: 10.06.2026 22:41 Last: 10.06.2026 22:41 Sources 1

About this happening: **GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...

Open Happening

Shai-Hulud PyPI supply-chain malware activity

Malware Activity
H score22 First: 08.06.2026 23:41 Last: 08.06.2026 23:41 Sources 1

About this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...

Open Happening

Miasma self-replicating supply chain attack campaign targeting open-source repositories

Campaign
H score83 First: 06.06.2026 09:58 Last: 06.06.2026 09:58 Sources 1

About this happening: The **Miasma** self-replicating supply-chain campaign has reached **73 Microsoft repositories** across **Azure**, **Azure-Samples**, **Microsoft**, and **MicrosoftDocs** on **GitH...

Open Happening

Timeline

  1. 23.06.2026 17:22 2 articles · 1h ago

    actions/checkout v7 blocks fork pull request checkouts in privileged workflows

    Mitigation Patch Update

    GitHub's actions/checkout v7 began refusing fork pull request checkouts by default in pull_request_target and certain workflow_run workflows, blocking common pwn request patterns unless workflow authors set allow-unsafe-pr-checkout to true.

    Show sources
    Open in new tab
  2. 23.06.2026 17:22 1 articles · 1h ago

    GitHub announces default refusal of fork pull request code in actions/checkout

    Initial Disclosure

    GitHub announced that actions/checkout is being updated to block pwn request abuse of pull_request_target by refusing fork pull request checkouts that can run attacker-controlled code with the base repository's GITHUB_TOKEN, secrets, and write privileges.

    Show sources
    Open in new tab
  3. 23.06.2026 17:22 1 articles · 1h ago

    GitHub plans July 16 backport of fork pull request checkout refusal

    Mitigation Patch Update

    GitHub expects to backport the same fork pull request checkout refusal in actions/checkout to all currently supported major versions on July 16, 2026, extending the guardrail beyond the latest release.

    Show sources
    Open in new tab