First paragraph (58 words) GitHub Actions' pull_request_target trigger executes code from untrusted forks with full secret access, enabling credential theft and crypto mining. The nx build system exploit leveraged $ variable expansion in shell scripts to hijack AI coding assistant tokens. By design, GitHub allows workflows to process any PR fork, making anonymous contributors a persistent attack vector.

Second paragraph (58 words) tj-actions/changed-files leak compromised 23,000+ repositories through pinned Git tags, while Trivy's compromised cache demonstrated how malicious dependencies propagate silently. The platform's lack of immutable dependency verification lets attackers hijack tags without repository branch access. elementary-data's ten-minute malicious wheel deployment shows how low-effort attacks bypass maintainers entirely.

Third paragraph (58 words) Common factors include write-scoped GITHUB_TOKEN defaults pre-2023, unquoted $ expansions in shell scripts, and cache entries crossing trust boundaries. GitHub's November 2024 patch restricted pull_request_target to default branch workflows but left critical vulnerabilities unaddressed. These incidents reveal a fundamental flaw: the system prioritizes convenience over security in anonymous contribution workflows.

Final paragraph (56 words) Security researchers recommend whitelisting approved forks and using content hashes for action versions. However, GitHub's object pool architecture makes these mitigations technically challenging. Until core design changes occur, open source maintainers face an uphill battle against automated campaigns like prt-scan's six-week PR spree targeting misconfigured workflows.