In this episode of Mitiga Mic, Brian speaks with Idan Cohen, Senior Cloud Security Analyst at Mitiga, about his recent research into the March 2025 GitHub Actions supply chain attack. Idan explains how a misconfigured workflow in a popular repository allowed attackers to inject malicious scripts, perform memory dumps, and leak sensitive credentials from thousands of dependent organizations. The discussion explores how attackers exploited workflow automation, the dangers of unvalidated pull requests, and why CI/CD pipelines have become such high-value targets. Idan shares practical guidance for developers and security teams on securing GitHub Actions—covering validation, permission scoping, code scanning, and isolating trusted and untrusted jobs. They also discuss detecting non-human identities, using audit and workflow logs for anomaly detection, and strengthening SaaS security through proper monitoring, secret scanning, and routine reviews. It’s an in-depth look at how misconfigurations can turn automation into an attack vector—and what defenders can do to stay ahead.
