← Supply-Chain Attack Compendium

kubernetes-el

Incident Summary

kubernetes-el Emacs package repository compromise

An attacker exploited a Pwn Request flaw in kubernetes-el's GitHub Actions workflow: pull_request_target ran with target-repository privileges and then checked out attacker-controlled PR code. The payload stole repository tokens and secrets, then used the token to push directly to master as github-actions[bot], deface the README, replace kubernetes.el with a destructive command that would run when loaded, and delete most repository files. MELPA removed the package and Emacsmirror updates were blocked, limiting downstream distribution.

Date
2026-03-05 to 2026-03-07
Category
Open Source
Target Surface
Revision control
Insertion Phase
source
Impact
Destructive Code Execution
Cause
GHA Vulnerability

What Was Affected

Package kubernetes-el
LanguageEmacs Lisp
ComponentLibrary
Artifact typesource repository
Domain typesource host
Domain github.com

Incident Context

Motive
Sabotage/Credential Theft
Transitive
No
User Impact
0
Observed Duration
2 days

Evidence

Compromised Artifacts

Current Artifacts and Analysis

Indicators and Changes

Commits

External References

Source Data

Source record: oss/kubernetes-el/meta.yaml