I fear it’s only a matter of time a popular action is maliciously compromised.
You can protect yourself somewhat [1], but still, it’s going to be a surprise to some when it does happen.
1: https://docs.github.com/en/actions/learn-github-actions/secu...