SmokedMeat: A Red Team Tool to Hack Your Pipelines First

In late April 2026, GitHub shipped a changelog post introducing immutable subject claims for GitHub Actions OIDC tokens, then pulled the post six hours later. The feature stayed live in production into the next day. During that short window, I (and, as I'd learn later, at least one other person) realized the new `<org>-<org_id>` format opens a pre-hijack opportunity: anyone can register a legacy organization whose name is a perfect string collision for a future victim's immutable subject claim, then wait for the victim to opt in. I disclosed via HackerOne the next morning; the feature was disabled in production about an hour later. GitHub later reshipped it with `@` (not a hyphen) as the delimiter, which closes the collision; the namespace-recycling problem it addresses was first disclosed by Tal Skverer in February 2025.

More than 30 @redhat-cloud-services npm packages shipped a credential-stealing worm. How they were published is now well-documented across several independent reports. We focus on the uncomfortable part: every supply-chain trust control passed. The packages carried valid SLSA provenance, npm trusted publishing accepted them, and branch protection on main was never touched. They passed because trusted publishing anchors trust to a workflow filename on any branch, not to a protected release identity, and the provenance that vouched for the packages faithfully recorded the throwaway branch that nobody checked.

A newly discovered attack technique allowing attackers to inject commands and exfiltrate secrets by creating malicious deployments from fork pull requests. Exploits the trust assumption that deployments come from verified services like Vercel, affecting popular integrations including Argos CI and Checkly.

TeamPCP published two malicious litellm versions to PyPI containing a .pth infostealer that runs on every Python startup. A compromised maintainer account was then used to silence the disclosure, deface repositories, and expose 70 private BerriAI repos in minutes. This is a Boost Security contribution to a broader community investigation: multiple teams worked this incident in parallel, each bringing their own angle. We focused on CI/CD forensics and GitHub account takeover evidence. The hunt continues.