Kaspersky’s Global Research and Analysis Team (GReAT) found more than 250,000 potential security issues in GitHub Actions workflows after reviewing 30,000 of the platform’s most-starred repositories, raising concerns over risks that could affect software supply chains.
The cybersecurity company found that only 10% of the analyzed repositories had no security alerts, while the remaining repositories showed possible weaknesses in continuous integration and continuous delivery (CI/CD) processes, the systems developers use to automatically build, test, and release software.
Using the new scanning rules from Kaspersky Container Security, the researchers analyzed more than 130,000 GitHub Actions pipelines and identified common configuration problems, including overly broad access permissions, missing dependency version controls, and unsafe workflow settings.
“Over the past year, we have observed serious supply-chain attacks, that could have been prevented by following secure CI/CD configuration guidelines,” said Leonid Bezvershenko, senior security researcher at Kaspersky GReAT. “While the uncovered issues do not automatically indicate exploitable vulnerabilities, they point to areas where developers should verify and strengthen configurations.”
Among the detected issues, 59.8% were classified as low risk, 39.8% as medium risk, and 0.4% as high risk based on Kaspersky’s assessment. While many findings do not immediately mean systems can be hacked, they indicate areas where developers need to strengthen security controls.
Kaspersky GReAT identified 200 repositories with high-risk issues, including eight repositories with critical flaws that could potentially lead to supply chain compromise. The affected repositories covered different uses, including artificial intelligence (AI) applications for businesses, developer tools, automation services, and security testing platforms.
Supply chain attacks happen when attackers target trusted software development processes to insert malicious code or gain access to systems. Open-source software has become widely used by developers, but weak security settings in build pipelines can create entry points for attackers.
Kaspersky pointed to the Mini Shai-Hulud campaign in May 2026 as an example of how attackers can exploit weaknesses in GitHub Actions workflows. The attack reportedly compromised more than 170 npm and PyPI packages, affecting projects including TanStack, Mistral AI, and OpenSearch.
The company said the identified issues were reported to the affected developers to help them address the risks.
“By identifying these weaknesses early, organizations can build more resilient pipelines and reduce the likelihood of supply-chain compromise,” Bezvershhenko said. “The rules developed for our container security solution provide a practical framework to identify and remediate these gaps before they can be exploited.”