CI-PR-TARGETInitial Access

GitHub Actions pull_request_target Injection

pull_request_target runs in base-repo context with secret access; PRs to a workflow that checks out the fork SHA execute attacker code with secrets.

§ Where this technique fits

CI-PR-TARGET is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 3 on average.

§ Dossiers chaining this technique

pull_request_target injection → secrets → cloud takeover
A GitHub Actions workflow runs on pull_request_target and checks out the PR's head SHA. The attacker's PR injects code that runs with the base repo's secrets, including a cloud deploy role.
step 3 / 7

§ What commonly comes next

01
Workflow Command Injection
CI-WORKFLOW-INJECT · Execution
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

pull_request_target injection → secrets → cloud takeover

§ What commonly comes next