Webinar

Unpacking CodeQLEAKED:

A Potential Supply Chain Attack on GitHub CodeQL

Register Here

Fill out the form below to save your spot for this session.

Thursday, April 10 at 1pm ET

Praetorian Red Team Security Engineer, John Stawinski, recently discovered a vulnerability in GitHub’s CodeQL where a token was exposed for just 1.022 seconds. In that brief window, he was able to demonstrate how an attacker could push code to the CodeQL Actions GitHub repository and modify CodeQL’s trusted tags to gain access to private repositories using CodeQL.

 

The research highlights GitHub Actions secret exposure, race conditions, and third-party action abuse, leading to CVE-2025-24362.

 

While GitHub’s rapid response has fixed this vulnerability and found no examples of exploration, it’s existence underscores the importance of CI/CD security vigilance.

Register for this webinar for a comprehensive breakdown of this vulnerability, a walkthrough on how it was discovered, and a demo of how you can find similar vulnerabilities in the future.

Hosted By:

john-stawinski
John Stawinski
Red Team Security Engineer

John is a Red Team Operator at Praetorian, focused on covert operations, CICD + supply chain security, corporate engagements, and public vulnerability research.