Summary
@tinacms/cli: Remote Code Execution in @tinacms/cli via Forestry migration — unsanitised __TINA_INTERNAL__ marker in user-controlled YAML labels
References
Related vulnerabilities
All Supply chain →- CRITICALGHSA-R253-R9JW-QG44
Crawl4AI: Unauthenticated RCE via Chromium launch-argument injection in browser_config.extra_args
- HIGHGHSA-7QW2-W5RC-37X2
PraisonAI recipe workflow policy can be bypassed by declaring and YAML-approving dangerous tools outside TEMPLATE.yaml
- CRITICALGHSA-P69M-4F92-2V84
PraisonAI: Remote Code Execution via Sandbox Escape in `codeMode` Tool
- CRITICALGHSA-FQ2M-6WQH-X44G
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication
- CRITICALGHSA-CXM3-WV7P-598C
On August 26, 2025, attackers exploited a vulnerable GitHub Actions workflow (added Aug 21) susceptible to code injection via a crafted pull-request title to steal Nx's npm publishing token, then published malicious versions of nx (21.5.0, 20.9.0 and others) and several @nx plugins. The malware scanned the filesystem, collected credentials, npm/GitHub tokens, SSH keys and cryptocurrency wallets, and posted them to public GitHub repositories under victim accounts. Dubbed 's1ngularity', it was the first known supply chain attack to weaponize installed AI CLI tools (Claude, Gemini, q) for reconnaissance. The packages were live for about four hours and thousands of secrets were leaked.
- CRITICALSC-PPE-CICDSEC4-2022
Poisoned Pipeline Execution is the class of attack in which an actor with write access to source control, but no direct access to the build environment, injects attacker-controlled commands that the CI pipeline then executes with its own privileges, secrets, and tokens. Direct PPE (D-PPE) modifies the CI configuration file itself (for example .github/workflows, .gitlab-ci.yml, or a Jenkinsfile) by pushing to an unprotected branch or opening a pull request, so the new pipeline steps run on trigger. Indirect PPE (I-PPE) instead poisons files the pipeline already references, such as a Makefile, test harness, build script, or linter config, when the config is protected but the referenced code is not. Public PPE (3PE) abuses public and open-source repositories that run unreviewed code from anonymous fork pull requests, frequently via the dangerous pull_request_target trigger that grants the fork workflow access to repository secrets. The pattern is catalogued as CICD-SEC-4 in the OWASP Top 10 CI/CD Security Risks (published September 2022) and in Cider/Legit Security research, with real cases including public-repo PPE in popular projects and GitHub Actions workflows abused for cryptocurrency mining.