
A recent attack on GitHub Actions has once again cast a spotlight on the security of software supply chains and the inherent vulnerabilities of CI/CD pipelines. Initial reports suggested that as many as 23,000 projects had been affected. However, a more thorough investigation revealed that the true scale of the incident was significantly smaller than these early estimates.
Experts determined that only 5,416 repositories from 4,072 organizations contained workflows linked to the compromised GitHub Action. Among these were several high-profile projects, boasting up to 350,000 stars and 63,000 forks, which initially raised widespread concern regarding the potential breadth of the attack.
Yet in reality, during the critical 24-hour window of the attack—from March 14 to March 15, 2025—workflows incorporating the vulnerable component were executed in only 614 instances, representing roughly 11% of the total affected repositories. A substantial number of these saw no more than 10 executions, although some isolated cases recorded over 50.
Even among the 614 active repositories, not all experienced data exfiltration. Only 218 repositories were deemed sufficiently compromised to have exposed sensitive data in their logs, including secret keys and authentication tokens. In total, 72 distinct types of sensitive information were identified, the majority of which were temporary GitHub access tokens (GITHUB_TOKEN). These tokens are only valid during the execution of a workflow and expire upon task completion or after 24 hours, significantly limiting their utility to attackers.
Nonetheless, despite the relatively modest scale of the breach, the ramifications for affected repositories could be severe. Leaked credentials included data associated with DockerHub, npm, and AWS—assets that, if exploited, pose a considerable threat by enabling further attacks within the software supply chain.
Notifications have already been issued to the maintainers of the compromised repositories, urging them to immediately rotate any exposed secrets and scrutinize their environments for signs of suspicious activity. The incident also underscores the critical importance of adhering to security best practices—most notably, the use of immutable commit hashes rather than mutable version tags when specifying dependencies.