Overview I identified a High risk vulnerability impacting GitHub’s dependabot-core repository that could have allowed an attacker to conduct a supply chain attack on GitHub users by backdooring the Dependabot containers. The cause of the vulnerability was a race condition in a workflow that maintainers would trigger to perform integration testing on approved pull requests prior to merging. Background Continuous Integration / Continuous Delivery (CI/CD) pipelines for Open-Source (and even cl...
