Kaspersky’s Global Research and Analysis Team (GReAT) has conducted a major review of the GitHub Actions workflows within top-starred repositories. Leveraging newly introduced Kaspersky Container Security capability, the researchers have discovered 8 repositories with critical misconfigurations that could lead to supply chain compromise.
Open-source components are now indispensable to modern software engineering. However, they also introduce hidden vectors for supply-chain attacks, such as the prominent Mini Shai-Hulud campaign conducted by TeamPCP in May 2026. This attack exploited weaknesses in GitHub Actions build pipelines and led to the compromise of more than 170 npm and PyPI packages, affecting projects such as TanStack, Mistral AI, and OpenSearch. In general, misconfigured GitHub Actions workflows can transform trusted development pipelines into dangerous entry points, allowing attackers to compromise automated workflows, introduce malicious code into production environments, or access critical infrastructure keys.
Kaspersky GReAT experts have completed the assessment of GitHub Actions workflows, analyzing more than 130,000 pipelines across 30,000 of the platform’s top starred repositories. Utilizing the specialized scanning ruleset introduced in the latest Kaspersky Container Security update, the researchers identified over 250,000 potential misconfigurations in continuous‑integration/continuous‑delivery (CI/CD) processes, underscoring the widespread adoption of insecure configuration practices. Only 10% of the analyzed repositories triggered no alerts at all.
Among the discovered issues 59.8 % are classified as low‑risk, 39.8 % as medium‑risk, and 0.4 % fall into the high‑risk category according to Kaspersky taxonomy. The most frequent issues involve implicitly granted or overly broad access permissions, missing version pinning for dependencies and workflow‑level settings. Fewer repositories expose top-level secrets, use unsafe run conditions, or process external data insecurely, potentially leading to more severe compromises.
Among 200 repositories identified as high-risk, the team discovered 8 repositories with critical flaws that could lead to supply chain compromise. The affected repositories spanned a wide range of use cases, including AI integration in enterprise environments, developer and automation services and security testing tools. The identified critical issues were reported to the respective developer.
“Over the past year, we have observed serious supply-chain attacks, that could have been prevented by following secure CI/CD configuration guidelines,” said Leonid Bezvershenko, senior security researcher at Kaspersky GReAT. “While the uncovered issues do not automatically indicate exploitable vulnerabilities, they point to areas where developers should verify and strengthen configurations. By identifying these weaknesses early, organizations can build more resilient pipelines and reduce the likelihood of supply-chain compromise. The rules developed for our container security solution provide a practical framework to identify and remediate these gaps before they can be exploited.”
To detect and mitigate potential security issues caused by misconfigurations, Kaspersky Container Security users can leverage GitHub repository scanning, whether embedded directly into CI/CD pipelines or operated in standalone mode.
More details about the research are available at Kaspersky Daily.
For more information about Kaspersky Container Security, please follow the link.
