GitHub Actions Enhances Security Against 'Pwn Request' Attacks

GitHub has released actions/checkout v7 to mitigate vulnerabilities associated with the pull_request_target workflow trigger, which has been exploited in 'pwn request' attacks. This update, announced on June 18, 2026, blocks workflows that attempt to fetch untrusted code from forked repositories, thereby preventing unauthorized access to sensitive resources. The changes will be backported to all supported major versions starting July 16, 2026. Developers can opt out of these restrictions but are discouraged from doing so. The update aims to enhance security by default, addressing a long-standing issue that has led to multiple compromises in software supply chains. GitHub acknowledges that while this update significantly reduces risk, it does not eliminate all forms of exploitation related to pwn requests. The changes come in response to a surge in cyberattacks targeting developer environments, including recent incidents attributed to the TeamPCP hacking group.

Key Points: • GitHub's actions/checkout v7 blocks unsafe workflows from untrusted forks. • The update addresses long-standing vulnerabilities exploited in pwn request attacks. • Developers can opt out of restrictions, but this is discouraged to maintain security.