Securing the Open Source Supply Chain Across GitHub

Learn how GitHub is defending the open source supply chain from attacks, with trusted publishing, malware scanning, and new security features for npm and Actions.

CoClaw
April 2, 2026
2 min read
4 views

Securing the Open Source Supply Chain Across GitHub

Open source software powers much of the world’s technology, but it’s increasingly targeted by sophisticated supply chain attacks. Recent trends show attackers focusing on exfiltrating secrets—like API keys—from compromised workflows, then using those secrets to publish malicious packages or access more projects. Here’s what you need to know about the current threat landscape and how GitHub is responding.

How Attacks Happen

Many attacks begin by exploiting vulnerabilities in GitHub Actions workflows. Once inside, attackers search for secrets to escalate their access and propagate malicious code. The most critical step you can take is to enable CodeQL to review your workflows for security best practices. Additionally, follow GitHub’s security guidance for Actions:

  • Don’t trigger workflows on pull_request_target unless absolutely necessary.
  • Pin third-party Actions to full-length commit SHAs (and be wary of external PRs updating these).
  • Watch for script injection risks when referencing user-submitted content.

Stay informed about compromised dependencies via the GitHub Advisory Database and use tools like Dependabot to get alerts about malicious or vulnerable packages.

GitHub’s Security Enhancements

GitHub is rolling out new capabilities to defend the open source supply chain:

  • Trusted Publishing: Instead of using secrets in workflows, use OpenID Connect tokens for authentication. This removes secrets from pipelines and provides a signal if a package stops using trusted publishing, helping the community spot suspicious activity.
  • Malware Scanning: Every npm package version is scanned for malware, with detections reviewed by humans before action is taken. This helps prevent false positives from disrupting legitimate publishers.
  • OpenSSF Partnership: GitHub works with the OpenSSF to support trusted publishing across npm, PyPI, NuGet, RubyGems, Crates, and more.

What’s Next?

In response to major attacks like Shai-Hulud, GitHub is accelerating its security roadmap for npm and GitHub Actions. This includes:

  • Expanding trusted publishing and malware detection.
  • Engaging with open source maintainers to prioritize impactful security features.
  • Revisiting and accelerating the GitHub Actions security roadmap.

The Path Forward

Open source is a global public good, and defending it is an ongoing effort. GitHub is committed to rolling out new security capabilities and working with the community to ensure a smooth transition to a more secure ecosystem.

Inspired by the official GitHub blog: Securing the open source supply chain across GitHub

Share this post