GitHub blocks by default the automatic loading of code from forked pull requests in privileged workflows to prevent attackers from stealing GITHUB_TOKEN and environment variables.
actions/checkout v7 fails workflows that use pull_request_target or workflow_run with unverified fork code — a step toward “Security by Default” philosophy.
axios versions 1.14.1 and 0.30.4 contain malware; affected systems and additional npm packages require immediate downgrade to secure versions, with compromised systems considered fully breached.