Cybersecurity researchers at Kaspersky have identified more than 250,000 potential security misconfigurations across GitHub Actions workflows in thousands of popular open-source projects. The findings highlight how easily automated development pipelines can become entry points for attackers targeting the software supply chain. Kaspersky’s Global Research and Analysis Team (GReAT) examined workflows from roughly 30,000 of the platform’s most starred repositories.
Their scan covered more than 130,000 individual pipelines using new detection rules added to the company’s Container Security solution.
Only 10 percent of the repositories analyzed triggered no warnings whatsoever.
The issues were broken down by severity. Nearly 60 percent fell into the low-risk category, about 40 percent were rated medium risk, and just 0.4 percent qualified as high risk. Researchers flagged 200 repositories as high-risk overall.
Of those, eight contained critical misconfigurations that could enable full supply-chain compromises.
The affected projects covered diverse areas, including AI tools for enterprises, developer services, automation platforms, and security testing utilities.
The company has already notified the maintainers of these repositories.
The most common problems involved granting overly broad or implicit permissions and failing to pin specific versions of actions or dependencies.
Less frequent but more dangerous patterns included exposing secrets at the top level of workflow files, using unsafe conditions to trigger runs, and insecurely processing data from external sources.
These weaknesses matter because GitHub Actions has become a core part of modern software development.
When misconfigured, the same automation that speeds up building and deploying code can give attackers a direct path into trusted environments.
Attackers could inject malicious code into releases, steal credentials, or compromise downstream projects that depend on the affected repositories.
The research comes shortly after the Mini Shai-Hulud campaign in May 2026, in which attackers exploited similar weaknesses in GitHub Actions pipelines.
That incident led to the compromise of more than 170 packages across npm and PyPI, affecting well-known projects such as TanStack, Mistral AI, and OpenSearch.
Leonid Bezvershenko, senior security researcher at Kaspersky GReAT, observed that many recent supply-chain incidents could have been prevented through better adherence to secure CI/CD configuration practices.
He noted that the detected issues do not automatically mean a repository is currently compromised. Instead, they flag areas where developers should review and harden their setups.
Early identification of these gaps, he added, helps organizations create more resilient pipelines and lowers the chance of successful attacks.
Experts recommend several straightforward steps: explicitly define the minimum permissions required for each workflow, always pin actions and dependencies to specific versions or commit hashes, avoid exposing secrets unnecessarily, and carefully validate any external inputs.
Organizations can also benefit from automated scanning tools that check repositories or run inside pipelines to catch problems before code reaches production.
As open-source components continue to underpin much of today’s software, securing the automation layers that build and distribute them has become essential. The Kaspersky research findings serve as a clear reminder that even widely used platforms require ongoing attention to configuration hygiene to keep the broader software ecosystem safe.