GitHub updated actions/checkout on June 18, 2026 to close the primary pwn request attack path, where pull_request_target or workflow_run triggers allowed fork-submitted code to execute with base-repository secrets and write-access tokens. The s1ngularity campaign actively exploited this pattern, confirmed compromising Nx build system packages, PostHog, TanStack, and kubernetes-el. Organizations with custom or legacy workflows not using actions/checkout remain exposed and must audit independently; GitHub’s fix does not cover those paths.