neciudan.dev via Reddit

GitHub cache poisoning threatens open source repos

cybersecurity open source supply-chain-security github-actions open-source

Key insights

  • pull_request_target workflow misconfigurations allow external contributors to inject malicious artifacts into GitHub Actions build caches.
  • Poisoned packages carry valid SLSA provenance signatures, making them indistinguishable from legitimate releases at every verification checkpoint.
  • Thousands of major open source repositories share this misconfiguration, and full ecosystem remediation is projected to take years.

Why this matters

SLSA provenance, broadly adopted as a gold standard for software supply-chain integrity, is rendered ineffective by this attack class, meaning organizations currently relying on it have false confidence in their dependency verification. The misconfiguration is not rare: thousands of major repositories are affected, making a coordinated exploitation campaign an industry-wide event rather than a contained incident. For AI practitioners specifically, many ML pipelines depend on open source tooling distributed through these same channels, meaning poisoned dependencies could silently corrupt training workflows or model artifacts without triggering any existing integrity checks.

Summary

Researcher neciudan has documented GitHub Actions cache poisoning as a systemic attack class, connecting incidents like TanStack and Megalodon to a shared structural flaw rather than treating them as isolated events. The mechanism: pull_request_target workflow misconfigurations let external contributors inject malicious artifacts into build cache layers. Subsequent pipeline runs restore those artifacts with valid SLSA provenance signatures attached, making poisoned packages indistinguishable from legitimate releases at every verification checkpoint. Essentially: (GitHub, open source maintainers) are running supply chains on a false trust baseline. - Thousands of major repositories share this misconfiguration pattern, per the research. - SLSA provenance cannot distinguish a cached poisoned artifact from a legitimate one, invalidating a widely relied-upon integrity guarantee. - Ecosystem remediation is projected to take years, not a standard patching cycle. Recent supply-chain incidents now read as early evidence of a structural problem, not a string of unrelated maintainer mistakes.

Potential risks and opportunities

Risks

  • Widely used ML tooling repositories (Hugging Face Transformers, LangChain, and similar projects) could already be serving poisoned packages to millions of downstream users if they share the misconfiguration, with no current mechanism to detect it
  • Enterprises relying on SLSA provenance for software supply-chain compliance under NIST SSDF or SOC 2 Type II face audit failures if poisoned artifacts are discovered in their verified dependency trees
  • Given the multi-year remediation projection, nation-state actors have a documented and repeatable technique to implant backdoors across major open source AI and developer tooling repositories before most patches land

Opportunities

  • Supply-chain security vendors (Chainguard, Endor Labs, Sigstore maintainers) can differentiate immediately by shipping automated detection of pull_request_target misconfigurations targeted at enterprise open source consumers
  • GitHub has a narrow window to ship a native workflow security linter flagging this pattern before regulators or large enterprise customers impose external remediation requirements on its platform
  • Enterprise security teams at AI companies can use this research as documented justification to mandate artifact pinning and internal forks for all open source ML dependencies, strengthening procurement and compliance posture ahead of the next incident

What we don't know yet

  • Whether GitHub plans to automatically flag pull_request_target misconfigurations in its workflow editor or ship a security advisory before external pressure forces the issue
  • Which specific major repositories among the thousands identified have been privately notified or have already patched as of May 2026
  • Whether the SLSA working group has formally acknowledged that this attack class invalidates provenance guarantees for pull-request-triggered builds

Originally reported by neciudan.dev

Read the original article →

Original headline: GitHub Actions Cache Poisoning Is Eating Open Source — Researcher Documents Systemic Attack Vector Enabling All Recent Supply-Chain Incidents