Impact

A high-severity vulnerability existed in the .github/workflows/release-canary.yml GitHub Actions workflow of the repository. The workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be executed in a privileged context.

An attacker could create a pull request containing a malicious preinstall script in the package.json file and then trigger the vulnerable workflow by posting a specific comment (!canary). This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry.

The vulnerability was remediated by removing the workflow file from the repository. No packages were affected.

Going forward, users are strongly advised to:

• Remove or carefully audit any workflows triggered by pull_request_target or issue_comment
• Avoid checking out untrusted code in workflows running with write-level tokens
• Rotate any potentially compromised secrets, especially GITHUB_TOKEN and NPM_TOKEN

References

• Post-Incident Security Measures: GitHub Actions Workflow Vulnerability
• GitHub documentation on pull_request_target
• Security best practices for GitHub Actions