THREAT OPS › Threat News › Bringing full YAML anchor support to zizmor
Bringing full YAML anchor support to zizmor
<p>In March 2026, attackers exploited a <code>pull_request_target</code> misconfiguration in the <a href="https://github.com/aquasecurity/trivy-action"><code>aquasecurity/trivy-action</code></a> GitHub Action to exfiltrate organization and repository secrets, then used those credentials to backdoor <a href="https://github.com/BerriAI/litellm">LiteLLM</a> on PyPI (see <a href="https://github.com/aq
MITRE ATT&CK techniques
- CredentialsT1589.001
Indicators of compromise
- https://github.blog/changelog/2025-09-18-actions-yaml-anchors-and-non-public-workflow-templates/url
- https://blog.yossarian.net/2025/09/22/dear-github-no-yaml-anchorsurl
- https://www.sovereign.tech/url