Two things combined.

First: Git tags are not immutable. When you write actions/[email protected] in your pipeline you are not pinning to a fixed commit. The tag is just a pointer and whoever controls the repo can silently move it to point to different code. Most teams assume a version tag means a fixed version. It does not.

Second: Git does not verify who makes a commit. Anyone can set their name to any Aqua Security developer they want. The malicious commit looked like it came from a trusted author because Git has no identity enforcement at all.

The practical fix for the first problem is pinning to a full commit hash instead of a tag name. That hash cannot be moved.

Almost nobody does this by default which is why the attack worked at scale. its very common supply chain failure pattern.