What causes open source supply chain attacks on GitHub?

Mostly compromised GitHub Actions workflows leaking secrets like API keys, letting attackers publish malicious packages to npm, PyPI, etc.

How do I secure my GitHub Actions workflows today?

Enable CodeQL scans, pin third-party Actions to SHA commits, avoid `pull_request_target` triggers, use OIDC over secrets.

Yes—it verifies publishes come from trusted GitHub workflows, dropping secrets from pipelines and flagging breaks.

🚀 New Releases

Every day, 30,000 packages hit npm—hundreds laced with malware. GitHub's cracking down on supply chain attacks starting in Actions workflows.

DevTools Feed Apr 02, 2026 4 min read 12 views

Pin Actions to full SHAs and enable CodeQL to block 90% of workflow exploits. 𝕏
Trusted publishing via OIDC eliminates secrets, breaking attack chains in npm and beyond. 𝕏
GitHub's scanning 30k daily npm publishes—malware detections are accelerating. 𝕏

Published by

Ship faster. Build smarter.

#CodeQL #GitHub Actions #open source security #supply chain attacks #supply chain security #trusted publishing

Get the best Developer Tools stories of the week in your inbox — no noise, no spam.

Originally reported by GitHub Blog