GitHub Actions Checkout Now Blocks Risky pull_request_target Checkouts
GitHub Actions Checkout v7 now blocks risky pull_request_target checkouts by default.
Summary
GitHub has released actions/checkout v7, introducing a default protection against a significant supply chain risk: privileged workflows that check out and execute code from untrusted pull requests. This change prevents common "pwn request" patterns in workflows running under pull_request_target or certain workflow_run events, which previously could lead to the theft of repository secrets or unauthorized write permissions. While this is a significant step, GitHub notes it's a guardrail, and other methods of fetching untrusted code within privileged workflows still require careful review.
Full text
Research/Security Newsnpm Package Uses Prompt Injection and Token Flooding to Disrupt AI Malware ScannersA new npm package tests AI malware scanners with prompt injection, safety-triggering comments, context flooding, and obfuscated JavaScript.By Jean-Charles Noirot Ferrand - Jun 16, 2026