Any application that does cross-device authentication is vulnerable to QRLJacking (this type of vulnerability) to some extent, the same way any application with username/password authentication is vulnerable to phishing.

GitHub’s dependency graph is supposed to give us this kind of visibility without any custom scripting, but from my experience it’s pretty spotty and often misses dependencies entirely.

Also, the script from the article doesn’t cover transitive GitHub Actions dependencies. So if a third-party action you’re using relies on a vulnerable action internally, it won’t catch that.