Skip to content

GitHub Actions pinned to @master branch — supply chain attack vector (pdd.yml) #584

Description

@sdghsdkjlas27-dotcom

.github/workflows/pdd.yml line 19 references volodya-lombrozo/pdd-action@master pinned to the master branch, not a tag or SHA. Any commit pushed to that repository's master branch — including malicious code — will be immediately executed in this repo's CI pipeline with full repository access.

REPRODUCTION: An attacker gains write access to the volodya-lombrozo/pdd-action repo and pushes a malicious commit to master.

IMPACT: Full repository compromise. The attacker's code runs with checkout permissions and can exfiltrate secrets, modify source, or pivot to other infrastructure.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions