CopilotKit finds CI/CD flaws in all 20 audited repos
Key insights
- Every one of 20 audited production repos contained at least 3 of 8 documented critical GitHub Actions misconfigurations.
- The Shai-Hulud campaign exploited these misconfigurations to compromise CI/CD credentials across 600+ npm packages and 3,800+ GitHub repositories.
- The three core flaws were unpinned action versions, overpermissioned GITHUB_TOKEN scopes, and unsanitized PR inputs passed to shell commands.
Why this matters
The Shai-Hulud campaign's success across 3,800+ repositories proves that standard GitHub Actions configurations create systematic CI/CD vulnerabilities attackers can exploit at scale with a single compromised upstream action. CopilotKit's audit finding universal misconfiguration across professionally maintained production repos means this isn't a skill gap issue; it's a defaults problem affecting virtually every team shipping software through GitHub. Any organization running GitHub Actions-based CI/CD without pinned action hashes and scoped GITHUB_TOKEN permissions is running the same exposed configuration that made May's attack possible.
Summary
Every one of 20 repos CopilotKit audited after May's TanStack attack carried at least three of eight critical misconfigurations, the same weaknesses behind Shai-Hulud's sweep through 600+ npm packages and 3,800 GitHub repos.
The attack exploited unpinned Actions versions, overpermissioned GITHUB_TOKEN scopes, and raw PR inputs passed to shell commands. Defaults most teams never audit.
Essentially: (CopilotKit, TanStack, Nx Console) May's attack surface remains intact in most production pipelines.
- Unpinned action versions let attackers inject malicious code without touching your repo.
- Overpermissioned tokens turn one CI compromise into full repository access.
- Unsanitized PR inputs are an open injection channel for external contributors.
The breach already ran; the conditions that made it possible are still in production.
Potential risks and opportunities
Risks
- Organizations that shipped npm packages during the Shai-Hulud campaign window may face downstream liability if malicious versions reached production consumers before discovery
- GitHub and Microsoft face enterprise customer pressure to overhaul the Actions marketplace trust model after the 3,800-repo breach scale; delayed response risks enterprise contract churn within 90 days
- Teams that have not audited GITHUB_TOKEN scopes post-May remain exposed to credential harvesting in future supply chain attacks targeting the same documented misconfiguration patterns
Opportunities
- GitHub Actions security vendors (Chainguard, StepSecurity, Wiz) have a direct sales hook: CopilotKit's audit data gives them quantified misconfiguration rates to anchor enterprise pipeline-hardening conversations
- Supply chain security platforms (Snyk, Socket.dev, Endor Labs) can accelerate pipeline-audit product adoption by citing Shai-Hulud's 3,800-repo scale as the validated baseline threat
- Open source maintainers who publicly harden their Actions workflows can differentiate their packages as enterprise buyers begin actively auditing upstream CI/CD security posture
What we don't know yet
- Whether GitHub has shipped platform-level defaults or workflow warnings to flag unpinned action versions or overpermissioned tokens since the May breach
- Full attribution behind the Shai-Hulud campaign: no government or state-sponsored link confirmed in public reporting as of late May 2026
- How many of the 600+ compromised npm packages distributed malicious versions to downstream consumers before the attack was detected and contained
Originally reported by copilotkit.ai
Read the original article →Original headline: Audit of 20 Production Repos After May GitHub Actions Supply Chain Attack Finds Every Single One Had At Least 3 of 8 Critical Misconfigurations