ON 5 March 2026, a threat actor exploited a classic “Pwn Request” vulnerability in the CI workflow of kubernetes-el/kubernetes-el, a popular Emacs package for managing Kubernetes clusters. The attacker stole the repository’s GITHUB_TOKEN (with full write permissions), exfiltrated CI/CD secrets, defaced the repository, and injected destructive code. The package has since been removed from MELPA and blocked from updating on the Emacsmirror, affecting users who depend on it for Kubernetes management within Emacs.
A GitHub account named quicktrinny, created just one day before the attack, forked the kubernetes-el repository and opened PR #382 titled “ci: add test,” which triggered the repository’s CI workflow and enabled the attack. The defacement began at 04:30 UTC, followed by a destructive commit at 04:32 UTC and the deletion of most repository files by 04:47 UTC. According to the report, the compromise was discovered on 7 March 2026 by Jonas Bernoulli, the Emacsmirror maintainer.