Playing with Fire – How We Executed a Critical Supply Chain Attack on PyTorch

GitHub Actions Attack Diagram

The GitHub Actions Attack Diagram is a security research artifact that provides structured guidance for identifying and exploiting vulnerabilities in GitHub Actions workflows. It maps attack paths from initial access to critical outcomes like self-hosted runner takeover and secrets exfiltration, based on real-world red team engagements and public vulnerability research presented at major security conferences. ## Key Features - **Attack Path Mapping** — Visual diagram outlining common TTPs (Tactics, Techniques, and Procedures) for exploiting GitHub Actions misconfigurations. - **Real-World Research** — Based on vulnerabilities exploited in live environments and presented at Black Hat USA 2024 and DEF CON 32. - **Resource Links** — Includes references to detailed slides, blog posts, and conference talks for additional context. - **Community Updates** — Encourages contributions via Issues to keep the diagram current as GitHub's configurations evolve. ## Philosophy The diagram focuses on practical, field-tested attack paths rather than being an exhaustive list, emphasizing actionable guidance for security professionals.

10 real-world stories of how we've compromised CI/CD pipelines

Examples include exploiting S3 misconfigurations, Jenkins plugin flaws, GitLab runner privilege escalations, Kubernetes pod annotation vulnerabilities, and compromised developer laptops