GitHub Launches actions/checkout v7 to Block Cyberattacks - Wedoany

Homepage News Details

GitHub Launches actions/checkout v7 to Block Cyberattacks

2026-06-23 15:41

Favorite

en.Wedoany.com Reported - GitHub has launched actions/checkout v7, which automatically blocks unsafe workflows to prevent so-called "pwn request" attacks. These attacks exploit misconfigurations in the pull_request_target workflow trigger, allowing attacker code to run with full workflow permissions.

GitHub, laptop

The root cause lies in developers switching to the pull_request_target trigger to obtain secrets such as API keys. This trigger itself has no vulnerabilities, but when improperly configured with actions/checkout, it checks out code from untrusted branches, opening a backdoor to the repository and its secrets. Released on June 18, actions/checkout v7 now automatically blocks such risky workflows and causes them to fail.

In the v7 changelog, GitHub noted that the only way to bypass these checks is for developers to explicitly add allow-unsafe-pr-checkout to opt out. This change marks the beginning of a new era of "secure by default," where security is defined by the system rather than left to developers. As part of this initiative, the new default settings will be backported to all supported major versions on July 16. Workflows pinned to floating major tags (e.g., actions/checkout@v4) will automatically receive the changes, while those pinned to specific SHAs, minor versions, or patch versions will not be affected by the backport and will need to be upgraded via Dependabot or established upgrade processes.

Recently, attacks using the pwn request technique have caused significant damage, with open-source repositories continuously targeted by the TeamPCP hacker group. Last month, attackers exploited this vulnerability to compromise 170 npm packages, including the TanStack Router ecosystem. Additionally, in a separate incident not involving pwn request, source code from approximately 3,800 internal GitHub repositories was also stolen.

GitHub has taken action, planning a series of security reforms, including restricting the execution of automatic installation scripts in npm earlier this month. The changelog also stated that since pwn request attacks may occur through other avenues, future versions may explore further strengthening protections for other events.

This article is compiled by Wedoany. All AI citations must indicate the source as "Wedoany". If there is any infringement or other issues, please notify us promptly, and we will modify or delete it accordingly. Email: news@wedoany.com

Information and Communication Software Engineering Information Security and Data Security Engineering

Previous：Spain's MasOrange Selects Polystar for AI Analytics Solution

Next：China Cixing Co., Ltd. Acquires German STOLL Brand and Core Assets

Office Data Leakage Prevention Solution

Sangfor Technologies Inc.

GYTA Type Non-Self-Supporting Aerial/Duct Optical Cable

TONGDING INTERCONNECTION INFORMATION CO., LTD.

SIS Safety Instrumentation Solution

Beijing Consen Automation Technology Co., Ltd.

Hangzhou GOLONG Technology Co., Ltd.

Industrial and Commercial Point-Type Gas Detector

Jinan Benan Technology Development Co., Ltd.

Fiber Optic Connector

Jingye Group Co., Ltd.

Automatic Aiming Laser Remote Obstacle Removal Robot

Pinggao Group Weihai High-Voltage Apparatus Co., Ltd.

Neolix X3 Autonomous Delivery Vehicle

Neolix Beijing Technology Co., Ltd.

QPS-20A Redundant Power Fast Switcher

CHN ENERGY ZHISHEN CONTROL TECHNOLOGY CO., LTD.

Negotiable /Set

Bolande Application Server Software V9.5

Beijing Baolande Software Corporation

Wireless LAN | AirEngine 5776-56T Access Point

Conveyor Belt Intelligent Monitoring System

LUO YANG WIRE ROPE INSPECTION TECHNOLOGY CO., LTD.

Related Recommendations

Samsung Electronics Launches UFS 5.0 Mobile Storage Products

Chinese Enterprise WeChat AI Agent "Dayuan" Enters Internal Testing Phase

Jiangsu's First Unitree Embodied AI Industry College Inaugurated in Suzhou

Dong Nai City Launches Digital Transformation Pilot Plan for Over 105,000 Individual Business Households

Vietnam Promotes Digitalization of Hue Tourism, Expects Revenue of 10.3 Trillion VND in First Half of 2026

Vietnam Approves 2026-2030 Plan to Drive Digital Transformation for at Least 500,000 Enterprises

Japan's KDDI Partners with NVIDIA and Others to Build Digital Twin RAN

Poland's KPO project has covered 314,816 residential units

Poland's Nexera reports 2025 revenue of PLN 152 million, covering 9 provinces

T-Mobile Poland Participates in PLN 12.8 Million NB-IoT Water Meter Project

Lastest Bulletin

Predictive Maintenance and Cybersecurity Are Essential for Intelligent Hydropower Station Operation

How an Intelligent Hydropower Station Integrates Generation, Dispatching and Asset Management

Safe Operation of a Pumped Storage Power Station Depends on Reservoir, Unit and Digital Monitoring

How Reversible Units and Variable-Speed Technology Improve Pumped Storage Flexibility

Why Terrain and Geology Determine the Success of Pumped Storage Power Station Projects

How a Pumped Storage Power Station Works as a Large Water Battery for the Grid

U.S. Residential Building Technology Company NileBuilt Plans to Sell Gen-2 Composite Building Technology IP

Laison Showcases Smart Prepaid Water Meter Solutions at Zambia Water Expo

Gulf Coast Rebar Inc. Installs Nearly 10,000 Tons of Rebar, Wins SEAA 2026 Project of the Year Award

Carollo Engineers Secures $210 Million Water Plant Construction Management Contract in California