The recent TanStack npm supply chain attack exploited the GitHub Actions pull_request_target workflow, compromising the release pipeline. This has raised concerns, not only for me but for many developers, that widely used official packages (such as Microsoft.Extensions.*) may be at similar risk.
Because Microsoft.Extensions.* libraries are often added to .NET projects with near-unconditional trust, their security status has a significant impact on the entire ecosystem. Knowing whether pull_request_target is being used in the CI/CD workflows of these repositories would provide considerable peace of mind for the community.
Request: - Could you please publish a short security note or advisory specifying that GitHub Actions workflows for dotnet/runtime, dotnet/extensions, or related repositories use only more secure triggers (such as push and pull_request)?
If currently in use, could you please describe any mitigation measures or migration plans you have implemented?
I believe this level of transparency will help developers feel more confident using the supply chain and reduce concerns when adopting official .NET packages.
https://thehackernews.com/2026/05/mini-shai-hulud-worm-compromises.html
The recent TanStack npm supply chain attack exploited the GitHub Actions
pull_request_targetworkflow, compromising the release pipeline. This has raised concerns, not only for me but for many developers, that widely used official packages (such asMicrosoft.Extensions.*) may be at similar risk.Because
Microsoft.Extensions.*libraries are often added to .NET projects with near-unconditional trust, their security status has a significant impact on the entire ecosystem. Knowing whetherpull_request_targetis being used in the CI/CD workflows of these repositories would provide considerable peace of mind for the community.Request: - Could you please publish a short security note or advisory specifying that GitHub Actions workflows for
dotnet/runtime,dotnet/extensions, or related repositories use only more secure triggers (such aspushandpull_request)?If currently in use, could you please describe any mitigation measures or migration plans you have implemented?
I believe this level of transparency will help developers feel more confident using the supply chain and reduce concerns when adopting official .NET packages.
https://thehackernews.com/2026/05/mini-shai-hulud-worm-compromises.html