We hardened zizmor's GitHub Actions static analyzer

Trail of Bits·Security / OSINT·

In March 2026, attackers exploited a pull_request_target misconfiguration in the aquasecurity/trivy-action GitHub Action to exfiltrate organization and repository secrets, then used those credentials to backdoor LiteLLM on PyPI (see Trivy’s post-mortem for the full timeline). zizmor is a static analyzer that GitHub Actions users run to catch exactly these misconfigurations before they ship. When GitHub Actions added support for YAML anchors in September 2025, a small but high-value slice of the ...

Read full article →

Related Articles

Google Chrome silently installs a 4 GB AI model on your device without consent
john-doe · Hacker News · 17d ago
DNSSEC disruption affecting .de domains – Resolved
warpspin · Hacker News · 16d ago
Security through obscurity is not bad
mobeigi · Hacker News · 19d ago
US healthcare marketplaces shared citizenship and race data with ad tech giants
ZeidJ · Hacker News · 18d ago
The text mode lie: why modern TUIs are a nightmare for accessibility
SpyCoder77 · Hacker News · 18d ago