GitHub Repositories at Risk: Sysdig Uncovers Critical Workflow Vulnerabilities Sysdig researchers have identified a significant security risk in GitHub repositories, where improperly configured workflows could allow attackers to hijack projects by exploiting the `pull_request_target` event in GitHub Actions. Unlike the standard `pull_request` trigger—which runs in the context of a merge commit—`pull_request_target` executes in the base branch (typically the default branch) and has access to repository secrets and write permissions via the `GITHUB_TOKEN`. The vulnerability arises when maintainers use `pull_request_target` to test untrusted code from public contributors, inadvertently exposing sensitive credentials. If misconfigured, attackers could inject malicious code, exfiltrate secrets, and gain elevated privileges within the repository. Sysdig’s investigation revealed multiple affected projects, including: - Spotipy, an open-source Python library for the Spotify Web API, where researchers demonstrated the ability to execute malicious Python packages and steal the `GITHUB_TOKEN`. The flaw has since been patched. - Mitre’s cyber analytics repository, where attackers could exfiltrate the `GITHUB_TOKEN` and other secrets, potentially gaining full control. Mitre addressed the issue promptly. - Splunk’s security_content repository, where two secrets were exposed, though the extracted `GITHUB_TOKEN` had limited read-only access. Stefan Chierici, Sysdig’s threat research lead, warned that the impact depends on the privileges of the extracted token. In severe cases, attackers could modify workflows, exfiltrate additional secrets, or alter files in the main branch—effectively taking over the repository. While `pull_request_target` can be used safely, its nuances require careful handling to avoid exploitation. Sysdig has reported additional vulnerable repositories and is awaiting remediation before disclosing further details. The findings underscore the need for maintainers to audit their GitHub Actions workflows for potential misconfigurations.

The MITRE Corporation faced a critical funding crisis for its CVE (Common Vulnerabilities and Exposures) Program, a cornerstone of global cybersecurity infrastructure used by vendors, governments, and critical infrastructure entities to track and prioritize vulnerabilities. The U.S. federal government initially appeared unwilling to renew MITRE’s contract, risking the shutdown of the CVE program—halting new vulnerability entries and eventually taking the platform offline. While historical CVE records would remain accessible via GitHub, the disruption would sever a vital resource for real-time threat intelligence, leaving organizations worldwide exposed to unpatched vulnerabilities without centralized tracking.The temporary 11-month contract extension by CISA averted immediate collapse, but the uncertainty underscored systemic risks: reliance on a single entity for a foundational cybersecurity service, potential exploitation gaps during transitions, and the broader fragility of public-private partnerships in critical infrastructure. ENISA’s parallel launch of the European Vulnerability Database further highlighted the urgency of decentralizing such dependencies, as MITRE’s near-lapse revealed how a funding lapse could cascade into global cybersecurity blind spots, delaying patch management and increasing attack surfaces for threat actors.