How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects

Living off the pipeline

Supply Chain Security Research - Living Off The Pipeline tools

Leaking Secrets From GitHub Actions: Reading Files And Environment Variables, Intercepting Network/Process Communication, Dumping Memory

Leaking secrets from vulnerable GitHub Actions workflows is possible via several methods: reading files/environment variables, intercepting communication, and dumping runner memory

From Self-Hosted GitHub Runner to Self-Hosted Backdoor

Attackers exploit misconfigured runners and weak PAT security to gain persistence, escalate privileges, and move laterally

The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree

A novel GitHub Actions worm exploits the action dependency tree. Attackers compromise an action, then infect dependent actions via branch pushes or tag overwrites, spreading malware recursively