Tenable has uncovered a critical vulnerability in a Microsoft GitHub repository that could allow attackers to execute code and access sensitive credentials, exposing weaknesses in modern software pipelines. The flaw, rated 9.3 under CVSSv4, highlights growing risks in CI/CD environments as part of the broader attack surface.
Researchers found the issue in the Windows-driver-samples repository, where a simple Python injection could be triggered through a public GitHub issue. Once activated, the automated workflow would run malicious code, enabling attackers to extract tokens and potentially gain write-level access to the repository — opening the door to supply chain compromise.
Tenable warned that organizations must treat CI/CD pipelines as critical infrastructure, urging stricter access controls, tighter permission settings and regular audits of automated workflows to prevent similar exploits and large-scale downstream impact.