Yaron Avital

I'm a cybersecurity pro with a knack for breaking (and fixing) things. I spent a decade as a developer at startups and big companies before jumping into security research. Now, I'm a Principal Researcher at Palo Alto Networks, specializing in AppSec and LLM security.

Currently ranked #6 in Israel at Google VRP program and member of GitHub's bug bounty program.
Side note: when I'm not poking holes in code, I'm a certified master diver 🤿 and make a mean ramen noodle soup 🍜. Seriously, it's legendary.

GitHub Security CI/CD Security Supply Chain Attacks DevSecOps

Research Publications

ArtiPACKED

GitHub Repository Artifacts Leak Tokens

Analysis of how GitHub repository artifacts can inadvertently leak sensitive tokens and credentials, exposing organizations to security risks.

Read More →
tj-actions GitHub Action Supply Chain Attack

tj-actions GitHub Action Supply Chain Attack

In-depth research on supply chain vulnerabilities in GitHub Actions workflows and how attackers can exploit CI/CD pipelines.

Read More →
Unpinnable Actions

Unpinnable Actions GitHub Security

Investigation into GitHub Actions that cannot be pinned to specific versions, creating potential security vulnerabilities.

Read More →
Opt-Out Permissions Model

GitHub Actions Opt-Out Permissions Model

Analysis of GitHub Actions permission models and the security implications of opt-out vs opt-in approaches.

Read More →
Prevent Inadequate IAM GitHub Organization

Prevent Inadequate IAM GitHub Organization

Best practices and recommendations for securing GitHub organizations through proper Identity and Access Management.

Read More →
GeekTime ArtiPACKED Coverage

A New Security Breach in GitHub Actions Threatens Software Giants

GeekTime coverage (Hebrew) of the ArtiPACKED vulnerability research, highlighting how this attack vector affects major companies like Canonical, Google, AWS, and Microsoft.

Read Article →

In the News

The Hacker News coverage of the ArtiPACKED

The Hacker News coverage of the ArtiPACKED vulnerability research, highlighting how this attack vector in GitHub Actions artifacts could allow malicious actors to steal tokens and gain unauthorized access to repositories.

Published: Aug 15, 2024

Read Article →

Bleeping Computer

Bleeping Computer coverage of the ArtiPACKED research, reporting how multiple high-profile open-source projects from Google, Microsoft, and AWS were inadvertently leaking GitHub authentication tokens through CI/CD workflow artifacts.

Published: Aug 14, 2024

Read Article →

CVE-2025-53097: Roo Code Workspace Security Vulnerability

Discovered and reported a security vulnerability in Roo Code agent's search_files tool that didn't respect workspace read limitations, potentially allowing unauthorized file access. CVSS Score: 7.5 (HIGH).

CVE Published: 2025

View CVE →

Open Source Projects

Prevent Inadequate IAM GitHub Organization

CICD Goat

A deliberately vulnerable CI/CD environment designed for learning and testing security vulnerabilities in CI/CD pipelines. This hands-on educational platform helps security professionals understand and practice identifying CI/CD security issues.

View on GitHub →

Conference Talks

BSidesLV 2023

Actions have consequences: The overlooked Security Risks in 3rd party GitHub Actions

Watch on YouTube →

BSidesLV 2024

Raiders of the Lost Artifacts: Racing for Hidden Treasures in Public GitHub Repositories

Watch on YouTube →
OWASP Logo
Global AppSec Barcelona 2025
Think Before You Prompt
Securing LLMs from a Code Perspective

OWASP Global AppSec Barcelona 2025

Think Before You Prompt: Securing Large Language Models from a Code Perspective

More Info →

Let's Connect

Interested in collaborating on cybersecurity research or discussing CI/CD security?