Pwning the Entire Nix Ecosystem

Summary

Sep 11, 2025 - 5 ' read Pwning the Entire Nix Ecosystem nixpkgs, nix, github-actions, vulnerabilitylast year at nixcon, me and my friend lexi gave a lightning talk about how we found a vulnerability in nixpkgs that would have allowed us to pwn pretty much the entire nix ecosystem and inject malicious code into nixpkgs. it only took us about a day from starting our search to reporting it and getting it fixed. since i unfortunately was too sick to attend this years nixcon, i thought it might be a good time to write up what we found and how we did it. github actions: the easy target #github actions is a ci/cd system by github that can do pretty much anything in a repo. it’s an easy target for attackers because if you have access to a workflow, you can just commit code without authorization and then you have a supply chain attack. plus, it’s all written in yaml 🇳🇴, which was NEVER meant to be executed !!name: learn-github-actions on: [push] jobs: check-bats-version: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 - run: npm install -g bats - run: bats -v this is a simple example of a github action. nothing fancy, just running some commands when code is pushed. the dangerous pull_request_target #actions run when a trigger activates them. there are a bunch of different triggers like pushes, commits, or pull requests. but there’s a special one called pull_request_target that has a few critical differences from regular pull_request.crucially, unlike pull_request, pull_request_target has read/write and secret access by default, even on pull requests from forks. this isn’t vulnerable by itself, but things go south when you start trusting user input from those PRs.github even warns about this in their docs:Warning: For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow can access secrets, even when it is trigg...