It's been done, multiple times. Here's a handful (96) of documented cases which are somewhat recent. [0][1]
It seems to be surprisingly easy to abuse the process, and GitHub are continually playing catch up.
[0] https://dev.to/thibaultduponchelle/the-github-action-mining-...
[1] https://www.bleepingcomputer.com/news/security/github-action...
It's been done, multiple times. Here's a handful (96) of documented cases which are somewhat recent. [0][1]
It seems to be surprisingly easy to abuse the process, and GitHub are continually playing catch up.
[0] https://dev.to/thibaultduponchelle/the-github-action-mining-...
[1] https://www.bleepingcomputer.com/news/security/github-action...