awesome-awesomeness/html/cicdattacks.html

<h1 id="awesome-cicd-attacks-awesome">Awesome CI/CD Attacks <a
href="https://awesome.re"><img src="https://awesome.re/badge.svg"
alt="Awesome" /></a></h1>
<p>Offensive research of systems and processes related to developing and
deploying code.</p>
<h2 id="contents">Contents</h2>
<ul>
<li><a href="#techniques">Techniques</a>
<ul>
<li><a href="#publicly-exposed-sensitive-data">Publicly Exposed
Sensitive Data</a></li>
<li><a href="#initial-code-execution">Initial Code Execution</a></li>
<li><a href="#post-exploitation">Post Exploitation</a></li>
<li><a href="#defense-evasion">Defense Evasion</a></li>
</ul></li>
<li><a href="#tools">Tools</a></li>
<li><a href="#case-studies">Case Studies</a></li>
<li><a href="#similar-projects">Similar Projects</a></li>
</ul>
<h2 id="techniques">Techniques</h2>
<p>A curated list of unique and useful CI/CD attack techniques.</p>
<h3 id="publicly-exposed-sensitive-data">Publicly Exposed Sensitive
Data</h3>
<ul>
<li><a
href="https://trufflesecurity.com/blog/postman-carries-lots-of-secrets">(The)
Postman Carries Lots of Secrets</a> - Postman’s public API network leaks
thousands of secrets due to confusing UI, forks, and insufficient secret
scanning.</li>
<li><a
href="https://www.paloaltonetworks.com/blog/prisma-cloud/secrets-leakage-user-error-azure-cli/">All
the Small Things: Azure CLI Leakage and Problematic Usage Patterns</a> -
Azure CLI leaks secrets to CI/CD logs due to usage patterns.</li>
<li><a
href="https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github">Anyone
can Access Deleted and Private Repository Data on GitHub</a> - As long
as it’s part of a fork network.</li>
<li><a
href="https://duo.com/blog/beyond-s3-exposed-resources-on-aws">Beyond
S3: Exposed Resources on AWS</a> - Public EBS, RDS, AMI and
ElasticSearch clusters exposed to the internet.</li>
<li><a
href="https://securitycafe.ro/2024/05/08/aws-cloudquarry-digging-for-secrets-in-public-amis/">CloudQuarry:
Digging for secrets in public AMIs</a> - Researchers found 500GB of
credentials, private repos, and keys in public AWS AMIs, impacting
various industries.</li>
<li><a
href="https://www.aquasec.com/blog/github-repos-expose-azure-and-red-hat-secrets/">Employee
Personal GitHub Repos Expose Internal Azure and Red Hat Secrets</a> -
Employee’s personal GitHub repos expose internal Azure &amp; Red Hat
secrets.</li>
<li><a
href="https://www.aquasec.com/blog/250m-artifacts-exposed-via-misconfigured-registries/">Fortune
500 at Risk: 250M Artifacts Exposed via Misconfigured Registries</a> -
Misconfigured public registries with software artifacts containing
sensitive proprietary code and secrets.</li>
<li><a href="https://github.com/RichardoC/gitlab-secrets">GitLab
Secrets</a> - A tool that can reveal deleted GitLab commits that
potentially contain sensitive information and are not accessible via the
public Git history.</li>
<li><a href="https://neodyme.io/en/blog/github_secrets/">Hidden GitHub
Commits and How to Reveal Them</a> - A tool that can reveal deleted
GitHub commits that potentially contain sensitive information and are
not accessible via the public Git history.</li>
<li><a
href="https://cloud.google.com/blog/topics/threat-intelligence/bitbucket-pipeline-leaking-secrets">Holes
in Your Bitbucket: Why Your CI/CD Pipeline Is Leaking Secrets</a> -
Bitbucket Secured Variables leak secrets via artifact objects;
recommendations include using dedicated secrets managers and code
scanning.</li>
<li><a
href="https://web.archive.org/web/20230531032433/https://redhuntlabs.com/blog/millions-of-secrets-exposed-via-web-application-frontend/">Millions
of Secrets Exposed via Web Application Frontends</a> - Millions of
secrets exposed in web app frontends via JavaScript and debug
pages.</li>
<li><a href="https://ramimac.me/exposed-docdb">Publicly Exposed AWS
Document DB Snapshots</a> - Publicly exposed AWS DocumentDB snapshot of
Cinemark Brazil revealed millions of customer records.</li>
<li><a
href="https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/">Thousands
of images on Docker Hub leak auth secrets, private keys</a> -
Researchers found thousands of Docker Hub images leaking private keys
and API secrets.</li>
</ul>
<h3 id="initial-code-execution">Initial Code Execution</h3>
<ul>
<li><a href="https://github.com/AdnaneKhan/ActionsTOCTOU/">ActionsTOCTOU
(Time Of Check to Time Of Use)</a> - A tool to monitor for an approval
event and then quickly replace a file in the PR head with a local file
specified as a parameter.</li>
<li><a
href="https://www.mend.io/blog/aws-targeted-by-a-package-backfill-attack/">AWS
Targeted by a Package Backfill Attack</a> - Scan commit history for
internal packages to execute dependency confusion.</li>
<li><a href="https://vulcan.io/blog/ai-hallucinations-package-risk">Can
you trust ChatGPT’s package recommendations?</a> - Exploit generative AI
platforms’ tendency to generate non-existent coding libraries to execute
Dependecy Confusion.</li>
<li><a
href="https://www.aquasec.com/blog/can-you-trust-your-vscode-extensions/">Can
You Trust Your VSCode Extensions?</a> - Impersonate popular VSCode
extensions and trick unknowing developers into downloading them.</li>
<li><a
href="https://snyk.io/blog/visual-studio-code-extension-security-vulnerabilities-deep-dive/">Deep
dive into Visual Studio Code extension security vulnerabilities</a> - VS
Code extensions have vulnerabilities (command injection, path traversal,
zip slip) that can compromise developer machines.</li>
<li><a
href="https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610">Dependency
Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other
Companies</a> - Researchers uploaded malicious packages with internal
company names, gaining access to Apple, Microsoft, and others due to
dependency confusion.</li>
<li><a
href="https://www.errno.fr/DockerDependencyConfusion.html">Dependency
Confusions in Docker and remote pwning of your infra</a> - Docker
dependency confusion occurs when a misconfigured Docker mirror pulls
malicious public images instead of private ones.</li>
<li><a
href="https://boostsecurity.io/blog/erosion-of-trust-unmasking-supply-chain-vulnerabilities-in-the-terraform-registry">Erosion
of Trust: Unmasking Supply Chain Vulnerabilities in the Terraform
Registry</a> - Terraform modules are not protected by the Dependency
Lock File, consequently, a seemingly harmless module could potentially
introduce malicious code.</li>
<li><a
href="https://johnstawinski.com/2024/04/15/fixing-typos-and-breaching-microsofts-perimeter/">Fixing
typos and breaching microsoft’s perimeter</a> - Bypass GitHub workflow
approval requirement by becoming a contributor.</li>
<li><a
href="https://www.aquasec.com/blog/github-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking/">GitHub
Dataset Research Reveals Millions Potentially Vulnerable to
RepoJacking</a> - Millions of GitHub repos are vulnerable to RepoJacking
due to org renames, leading to potential code execution.</li>
<li><a
href="https://www.bleepingcomputer.com/news/security/gitloker-attacks-abuse-github-notifications-to-push-malicious-oauth-apps/">Gitloker
attacks abuse GitHub notifications to push malicious OAuth apps</a> -
Attackers use fake GitHub notifications to trick users into authorizing
malicious OAuth apps that steal repo access.</li>
<li><a
href="https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/">Hacking
GitHub AWS integrations again</a> - Attacking misconfigured pipelines
that use OIDC.</li>
<li><a
href="https://observationsinsecurity.com/2024/04/25/how-i-hacked-into-googles-internal-corporate-assets/">How
I hacked into Google’s internal corporate assets</a> - More ways to find
dependencies in code for Dependency Confusion.</li>
<li><a href="https://maia.crimew.gay/posts/how-to-hack-an-airline/">How
to completely own an airline in 3 easy steps</a> - Misconfigured CI
system accessible from the internet.</li>
<li><a
href="https://www.landh.tech/blog/20250211-hack-supply-chain-for-50k/">How
We Hacked a Software Supply Chain for $50K</a> - Scraped JavaScript
front-end files of the target and used ASTs to identify import/require
statements which lead to discovering a public container with NPM
credentials.</li>
<li><a
href="https://blog.oversecured.com/Introducing-MavenGate-a-supply-chain-attack-method-for-Java-and-Android-applications/">Introducing
MavenGate: a supply chain attack method for Java and Android
applications</a> - Many public and popular libraries that have long been
abandoned are still being used in huge projects. Access to projects can
be hijacked through domain name purchases.</li>
<li><a
href="https://securitylab.github.com/research/github-actions-preventing-pwn-requests/">Keeping
your GitHub Actions and workflows secure Part 1: Preventing pwn
requests</a> - Combining pull_request_target workflow trigger with an
explicit checkout of an untrusted PR may lead to repository
compromise.</li>
<li><a
href="https://securitylab.github.com/research/github-actions-untrusted-input/">Keeping
your GitHub Actions and workflows secure Part 2: Untrusted input</a> -
GitHub Actions command injection.</li>
<li><a
href="https://medium.com/cider-sec/malicious-code-analysis-abusing-sast-mis-configurations-to-hack-ci-systems-13d5c1b37ffe">Malicious
code analysis: Abusing SAST (mis)configurations to hack CI systems</a> -
Misconfigured SAST tools can be exploited to execute malicious code on
CI systems, allowing attackers to steal credentials or deploy malicious
artifacts.</li>
<li><a
href="https://medium.com/cider-sec/ppe-poisoned-pipeline-execution-34f4e8d0d4e9">PPE
— Poisoned Pipeline Execution</a> - Poisoned Pipeline Execution (PPE)
lets attackers run malicious code in a CI/CD system without direct
access.</li>
<li><a
href="https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/">Security
alert: social engineering campaign targets technology industry
employees</a> - Phishing GitHub users to download and execute
repositories.</li>
<li><a
href="https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/">The
Monsters in Your Build Cache – GitHub Actions Cache Poisoning</a> -
Allows attackers to compromise workflows even with limited permissions
by exploiting vulnerabilities or dependency flaws, attackers steal cache
tokens, fill the cache to force evictions, and replace legitimate
entries with malicious code.</li>
<li><a
href="https://therecord.media/thousands-of-npm-accounts-use-email-addresses-with-expired-domains">Thousands
of npm accounts use email addresses with expired domains</a> -
Maintainer Email hijacking.</li>
<li><a
href="https://bytesafe.dev/posts/understanding-typosquatting-methods/">Understanding
typosquatting methods - for a secure supply chain</a> - Typosquatting
involves publishing malicious packages with names similar to legitimate
ones, exploiting typos to inject malicious code.</li>
<li><a
href="https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability">Vulnerable
GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD
Pipeline</a> - GitHub Actions workflow_run PE.</li>
<li><a
href="https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd">What
the fork? Imposter commits in GitHub Actions and CI/CD</a> - GitHub
Actions vulnerability allows forked commits to bypass workflow security
settings.</li>
<li><a
href="https://securitylabs.datadoghq.com/articles/whoami-a-cloud-image-name-confusion-attack/">whoAMI:
A cloud image name confusion attack</a> - Dependency Confusion using AWS
AMIs.</li>
<li><a
href="https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/">WordPress
Plugin Confusion: How an update can get you pwned</a> - Unclaimed
WordPress plugins are vulnerable to takeover via the plugin
directory.</li>
</ul>
<h3 id="post-exploitation">Post Exploitation</h3>
<ul>
<li><a
href="https://www.praetorian.com/blog/self-hosted-github-runners-are-backdoors/">From
Self-Hosted GitHub Runner to Self-Hosted Backdoor</a> - Attackers
exploit misconfigured runners and weak PAT security to gain persistence,
escalate privileges, and move laterally.</li>
<li><a
href="https://blog.plerion.com/hacking-terraform-state-privilege-escalation/">Hacking
Terraform State for Privilege Escalation</a> - Modifying a Terraform
state file allows attackers to delete infrastructure or execute code via
custom providers.</li>
<li><a
href="https://www.synacktiv.com/publications/hijacking-github-runners-to-compromise-the-organization">Hijacking
GitHub runners to compromise the organization</a> - Registering a GitHub
runner with the ubuntu-latest tag grants access to jobs originally
designated for GitHub-provisioned runners.</li>
<li><a href="https://cycode.com/blog/github-actions-vulnerabilities">How
We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source
Projects</a> - Extracting all repository and organization secrets in
GitHub Actions.</li>
<li><a
href="https://www.apexhq.ai/blog/blog/invisible-ghost-alarming-vulnerability-in-github-copilot/">Invisible
Ghost: Alarming Vulnerability in GitHub Copilot</a> - Using hidden
Unicode characters to manipulate GitHub Copilot’s suggestions.</li>
<li><a
href="https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/">Leaking
Secrets From GitHub Actions: Reading Files And Environment Variables,
Intercepting Network/Process Communication, Dumping Memory</a> - Leaking
secrets from vulnerable GitHub Actions workflows is possible via several
methods: reading files/environment variables, intercepting
communication, and dumping runner memory.</li>
<li><a href="https://github.com/boostsecurityio/lotp">Living off the
pipeline</a> - Inventory how development tools (typically CLIs), have
lesser-known RCE-By-Design features.
<!--lint ignore awesome-list-item--></li>
<li><a
href="broken_links.md/#httpstwittercomalxk7istatus1524353383976558593t5esgwtom2218sgygy5vdoas19">Registering
self-hosted CircleCI runner</a> - Can be used to steal secrets of job
executed on the malicious runner.</li>
<li><a
href="https://www.paloaltonetworks.com/blog/prisma-cloud/github-actions-worm-dependencies/">The
GitHub Actions Worm: Compromising GitHub Repositories Through the
Actions Dependency Tree</a> - A novel GitHub Actions worm exploits the
action dependency tree. Attackers compromise an action, then infect
dependent actions via branch pushes or tag overwrites, spreading malware
recursively.</li>
</ul>
<h3 id="defense-evasion">Defense Evasion</h3>
<ul>
<li><a
href="https://twitter.com/_alxk/status/1442519103885959172?s=21">#redteam
tip: want to discretely extract credentials from a CI/CD pipeline?</a> -
Draft pull requests won’t alert repository contributors, but will still
trigger pipelines.</li>
<li><a
href="https://www.paloaltonetworks.com/blog/prisma-cloud/repository-webhook-abuse-access-ci-cd-systems-at-scale/">Abusing
Repository Webhooks to Access Internal CI/CD Systems at Scale</a> -
Repository webhooks, used to trigger CI/CD pipelines, can be abused to
access internal systems.</li>
<li><a
href="https://medium.com/cider-sec/bypassing-required-reviews-using-github-actions-6e1b29135cc7">Bypassing
required reviews using GitHub Actions</a> - GitHub Actions can bypass
required reviews, allowing malicious code pushes to protected
branches.</li>
<li><a href="https://iter.ca/post/gh-sig-pwn/">Forging signed commits on
GitHub</a> - A bug in GitHub’s API allowed forging signed commits. By
exploiting a regex flaw in an internal Codespaces API endpoint, an
attacker could create commits signed by any user, despite GitHub’s web
flow signature.</li>
<li><a
href="https://www.bleepingcomputer.com/news/security/github-comments-abused-to-push-malware-via-microsoft-repo-urls/">GitHub
comments abused to push malware via Microsoft repo URLs</a> - Hidden
GitHub comment link.</li>
<li><a
href="https://www.landh.tech/blog/20240603-npm-cache-poisoning/">How a
Single Vulnerability Can Bring Down the JavaScript Ecosystem</a> - Cache
poisoning attack on the NPM registry rendering packages
unavailable.</li>
<li><a
href="https://adnanthekhan.com/2023/12/20/one-supply-chain-attack-to-rule-them-all/">One
Supply Chain Attack to Rule Them All – Poisoning GitHub’s Runner
Images</a> - A critical vulnerability in GitHub Actions, involving a
misconfigured self-hosted runner in the actions/runner-images
repository, allowed potential compromise of all GitHub and Azure hosted
runner images.</li>
<li><a href="https://github.com/mortenson/pr-sneaking">PR sneaking</a> -
Methods of sneaking malicious code into GitHub pull requests.</li>
<li><a
href="https://x.com/adnanthekhan/status/1829116171045474374">Remove
evidence of malicious pull requests on GitHub</a> - Changing account’s
email to block-listed domain, automatically bans the account.</li>
<li><a
href="https://checkmarx.com/blog/starjacking-making-your-new-open-source-package-popular-in-a-snap/">StarJacking
– Making Your New Open Source Package Popular in a Snap</a> -
StarJacking is a technique where attackers make malicious open-source
packages appear popular.</li>
<li><a
href="https://blog.vlt.sh/blog/the-massive-hole-in-the-npm-ecosystem">The
massive bug at the heart of the npm ecosystem</a> - NPM Manifest
Confusion.</li>
<li><a href="https://trojansource.codes/">Trojan Source</a> - Rather
than inserting logical bugs, adversaries can attack the encoding of
source code files to inject vulnerabilities.</li>
<li><a
href="https://www.paloaltonetworks.com/blog/prisma-cloud/unpinnable-actions-github-security/">Unpinnable
Actions: How Malicious Code Can Sneak into Your GitHub Actions
Workflows</a> - GitHub Actions, even when pinned to a commit SHA, can
still pull in malicious code via mutable dependencies like Docker
images, unlocked packages, or external scripts.</li>
<li><a
href="https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/">Why
npm lockfiles can be a security blindspot for injecting malicious
modules</a> - Malicious code can be injected into npm projects via
lockfiles (package-lock.json or yarn.lock) because these large,
machine-generated files are rarely reviewed thoroughly.</li>
<li><a
href="https://www.chainguard.dev/unchained/working-as-unexpected">Working
as unexpected</a> - Creating a GitHub branch that matches a branch
protection rule pattern with a workflow file that triggers on push to
gain access to environment secrets.</li>
<li><a href="https://marcyoung.us/post/zuckerpunch/">Zuckerpunch -
Abusing Self Hosted GitHub Runners at Facebook</a> - Hide commits in a
GitHub PR.</li>
</ul>
<h2 id="tools">Tools</h2>
<ul>
<li><a href="https://github.com/xforcered/ADOKit">ADOKit</a> - Azure
DevOps Services Attack Toolkit.</li>
<li><a href="https://github.com/praetorian-inc/gato">Gato</a> - GitHub
Attack Toolkit.</li>
<li><a href="https://github.com/AdnaneKhan/Gato-X">Gato-X</a> - GitHub
Attack Toolkit - Extreme Edition.</li>
<li><a href="https://www.gharchive.org/">GH Archive</a> - A project to
record the public GitHub timeline, archive it, and make it easily
accessible for further analysis.</li>
<li><a href="http://ghtorrent-downloads.ewi.tudelft.nl/mysql/">GHTorrent
Project</a> - A queryable offline mirror of the GitHub API data. <a
href="https://ghtorrent.github.io/tutorial/">Tutorial</a>.</li>
<li><a href="https://github.com/arthaud/git-dumper">git-dumper</a> -
Dump Git repository from a website.</li>
<li><a href="https://github.com/mxrch/gitfive">GitFive</a> - OSINT tool
to investigate GitHub profiles.</li>
<li><a href="https://grep.app/">Grep.app</a> - Search GitHub using
regex.</li>
<li><a
href="https://github.com/Accenture/jenkins-attack-framework">Jenkins
Attack Framework</a> - This tool can manage Jenkins tasks, like listing
jobs, dumping credentials, running commands/scripts, and managing API
tokens.</li>
<li><a href="https://github.com/synacktiv/nord-stream">Nord Stream</a> -
A tool to extract secrets stored inside CI/CD environments.</li>
<li><a href="https://github.com/gquere/pwn_jenkins">pwn_jenkins</a> -
Notes about attacking Jenkins servers.</li>
<li><a href="https://github.com/mazen160/secrets-patterns-db">Secrets
Patterns Database</a> - The largest open-source database for detecting
secrets, API keys, passwords, tokens, and more.</li>
<li><a href="https://sourcegraph.com/search">Sourcegraph</a> - A
web-based code search and navigation tool for public repositories.</li>
<li><a
href="https://blog.projectdiscovery.io/nuclei-v2-5-3-release/">Token-Spray</a>
- Automate token validation using Nuclei.</li>
</ul>
<h2 id="case-studies">Case Studies</h2>
<ul>
<li><a
href="https://research.nccgroup.com/2022/01/13/10-real-world-stories-of-how-weve-compromised-ci-cd-pipelines/">10
real-world stories of how we’ve compromised CI/CD pipelines</a> -
Examples include exploiting S3 misconfigurations, Jenkins plugin flaws,
GitLab runner privilege escalations, Kubernetes pod annotation
vulnerabilities, and compromised developer laptops.</li>
<li><a
href="https://github.com/jstawinski/GitHub-Actions-Attack-Diagram">GitHub
Actions Attack Diagram</a> - Includes public vulnerability research
presented at Black Hat USA 2024 and DEF CON 32.</li>
<li><a
href="https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/">Playing
with Fire – How We Executed a Critical Supply Chain Attack on
PyTorch</a> - Researchers exploited a critical PyTorch vulnerability via
a malicious pull request to execute code on self-hosted runners.</li>
</ul>
<h2 id="similar-projects">Similar Projects</h2>
<ul>
<li><a href="https://github.com/rung/threat-matrix-cicd">Common Threat
Matrix for CI/CD Pipeline</a></li>
<li><a href="https://pbom.dev/">Open Software Supply Chain Attack
Reference (OSC&amp;R)</a></li>
<li><a href="https://riskexplorer.endorlabs.com/#/attack-tree">Risk
Explorer for Software Supply Chains</a></li>
</ul>
<p><a
href="https://github.com/TupleType/awesome-cicd-attacks">cicdattacks.md
Github</a></p>