Goshs
Monthly
Remote unauthenticated attackers can leak GitHub workflow tokens from goshs repositories via ArtiPACKED attack. The vulnerability exploits artifact packaging mechanisms to extract GITHUB_TOKEN credentials despite the token never appearing in source code. With CVSS 9.1 (Critical) and network attack vector requiring no authentication, this poses immediate risk to CI/CD pipelines using goshs. No public exploit identified at time of analysis, though the attack technique (ArtiPACKED) is documented. EPSS data unavailable; not listed in CISA KEV.
Remote unauthenticated attackers can leak GitHub workflow tokens from goshs repositories via ArtiPACKED attack. The vulnerability exploits artifact packaging mechanisms to extract GITHUB_TOKEN credentials despite the token never appearing in source code. With CVSS 9.1 (Critical) and network attack vector requiring no authentication, this poses immediate risk to CI/CD pipelines using goshs. No public exploit identified at time of analysis, though the attack technique (ArtiPACKED) is documented. EPSS data unavailable; not listed in CISA KEV.