Some attack paths don’t show up in traditional pentests.

本站添加: 2026-05-25

[00:00:00]Looks like this was a GitHub actions cash poisoning attack, right? So, that that is like a known thing, right? Like you can go on to like any company's bug bounty page if you can find they've got like GitHub action cash poisoning as a possible, you know, exploit against them. You can get paid out from that.

[00:00:18]And it's like the core problem is exactly what Shodan was were saying, which is like this is running untrusted code in your main branch, right? Like this is functionally that's what's happening like they're running untrusted code in an environment where they're using GitHub actions caching. And it's like, you know, not a common thing to see exploited because a pen testing team is not like like that's not going to really surface in a pen test other than somebody maybe pointing it out because exploiting that usually is going to be very problematic. But real world threat actors that have no scope are definitely going to do that.