Impact Newswire

Kaspersky Has Found Widespread Security Risks Hiding in GitHub Code

Kaspersky has identified more than 250,000 potential security misconfigurations in GitHub Actions workflows after reviewing software development pipelines used by some of the world’s most popular open-source projects, highlighting persistent risks to software supply chains.

Kaspersky Has Found Widespread Security Risks Hiding in GitHub Code

The cybersecurity company’s Global Research and Analysis Team (GReAT) said on Tuesday it analyzed more than 130,000 GitHub Actions workflows across 30,000 of the platform’s most-starred repositories using a new scanning capability in its Kaspersky Container Security product.

The review found more than 250,000 potential configuration issues in continuous integration and continuous delivery (CI/CD) pipelines, with only about 10% of the repositories generating no security alerts.

Kaspersky said misconfigured GitHub Actions workflows can allow attackers to compromise software development pipelines, inject malicious code into production systems or gain access to sensitive infrastructure credentials.

The findings follow a string of software supply chain attacks, including the Mini Shai-Hulud campaign in May, which exploited weaknesses in GitHub Actions build pipelines and compromised more than 170 npm and PyPI packages used by projects including TanStack, Mistral AI and OpenSearch.

According to Kaspersky, 59.8% of the identified issues were classified as low risk, 39.8% as medium risk and 0.4% as high risk. The most common problems involved excessive access permissions, failure to pin dependency versions and insecure workflow settings.

Among roughly 200 repositories categorized as high risk, Kaspersky said it identified eight with critical flaws that could lead to software supply chain compromises. The repositories included projects related to enterprise AI integration, developer automation services and security testing tools. The company said it had notified the affected developers.

“Over the past year, we have observed serious supply-chain attacks, that could have been prevented by following secure CI/CD configuration guidelines,” Leonid Bezvershenko, senior security researcher at Kaspersky GReAT, told Impact Newswire.

“While the uncovered issues do not automatically indicate exploitable vulnerabilities, they point to areas where developers should verify and strengthen configurations. By identifying these weaknesses early, organisations can build more resilient pipelines and reduce the likelihood of supply-chain compromise. The rules developed for our container security solution provide a practical framework to identify and remediate these gaps before they can be exploited.”

GitHub Actions is a widely used automation platform that enables developers to build, test and deploy software automatically. Because the workflows often have access to source code, credentials and production environments, security experts have increasingly warned that configuration errors can provide attackers with a pathway into software supply chains.

Kaspersky said users of its Container Security platform can use its GitHub repository scanning capability to identify and mitigate workflow misconfigurations either within CI/CD pipelines or as a standalone service.

Stay ahead of the stories shaping our world. Subscribe to Impact Newswire for timely, curated insights on global tech, business, and innovation all in one place.

Dive deeper into the future with the Cause Effect 4.0 Podcast, where we explore the ideas, trends, and technologies driving the global AI conversation.

Got a story to share? Pitch it to us at info@impactnews-wire.com and reach the right audience worldwide


Discover more from Impact Newswire

Subscribe to get the latest posts sent to your email.

"What’s your take? Join the conversation!"

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top

Discover more from Impact Newswire

Subscribe now to keep reading and get access to the full archive.

Continue reading