We've published a new blog post by RyotaK @ryotkak.
He discovered a vulnerability in Claude Code GitHub Actions that allows external attackers to bypass its permission controls via a GitHub issue and abuse the workflow's permissions, along with related misconfigurations.
The vulnerability itself has been fixed in v1.0.94, but the misconfigurations require remediation on each repository. If you use this product, we recommend auditing your configuration and reviewing your workflow run logs.
https://t.co/FmgOhQc3eT
Flatt Security の Ultra Thinking に @lmt_swallow & @ryoidong & @ryusei_ishika
からご招待いただきお話させていただきました。まさに Mini Shai-Hulud の第二波が出た当日で、パッケージマネージャ大変だよねの話から、セキュキャンの様々な話まで、ぜひご覧ください!