A credential leakage vulnerability in goshs allows unauthorized access to sensitive GITHUB_TOKEN credentials through workflow artifacts.

The "ArtiPACKED" vulnerability allows for the inadvertent exposure of sensitive environment tokens, even if those tokens are not explicitly stored in the source code repository.

Leakage of the GITHUB_TOKEN can provide attackers with unauthorized access to private repositories, workflow secrets, and deployment environments. Given the CVSS score of 9.1, this vulnerability poses a significant risk to the entire software supply chain and organizational development security.

Immediate Action: Upgrade goshs to version 2.0.0-beta.6 or later and immediately rotate any GITHUB_TOKENs that were accessible by the affected versions.

Proactive Monitoring: Audit CI/CD logs for unauthorized access and review artifact storage for potential data leakage.

Compensating Controls: Implement strict permissions on repository artifacts and enforce the use of short-lived tokens where possible.

Public Exploit Available: Unknown

Security teams must treat this as a high-priority incident. Beyond applying the software update, it is critical to assume that existing tokens may have been compromised and to perform a full credential rotation across all affected workflows.