CI/CD Attacks

repo: TupleType/awesome-cicd-attacks
category: Security related: Devsecops · Github Actions

Awesome CI/CD Attacks

Offensive research of systems and processes related to developing and deploying code.

Contents

• Techniques
  • Publicly Exposed Sensitive Data
  • Initial Code Execution
  • Post Exploitation
  • Defense Evasion
• Tools
• Case Studies
• Similar Projects

Techniques

A curated list of unique and useful CI/CD attack techniques.

Publicly Exposed Sensitive Data

• (The) Postman Carries Lots of Secrets - Postman's public API network leaks thousands of secrets due to confusing UI, forks, and insufficient secret scanning.
• All the Small Things: Azure CLI Leakage and Problematic Usage Patterns - Azure CLI leaks secrets to CI/CD logs due to usage patterns.
• Anyone can Access Deleted and Private Repository Data on GitHub - As long as it's part of a fork network.
• Beyond S3: Exposed Resources on AWS - Public EBS, RDS, AMI and Elasticsearch clusters exposed to the internet.
• CloudQuarry: Digging for secrets in public AMIs - Researchers found 500GB of credentials, private repos, and keys in public AWS AMIs, impacting various industries.
• [Employee Personal GitHub Repos Expose Internal Azure and Red Hat Secrets](https://www.aquasec.com/blog/github-repos-expose-azure-and-red-hat-secrets/) - Employee's personal GitHub repos expose internal Azure & Red Hat secrets.
• Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries - Misconfigured public registries with software artifacts containing sensitive proprietary code and secrets.
• GitLab Secrets - A tool that can reveal deleted GitLab commits that potentially contain sensitive information and are not accessible via the public Git history.
• [Hidden GitHub Commits and How to Reveal Them](https://neodyme.io/en/blog/github_secrets/) - A tool that can reveal deleted GitHub commits that potentially contain sensitive information and are not accessible via the public Git history.
• Holes in Your Bitbucket: Why Your CI/CD Pipeline Is Leaking Secrets - Bitbucket Secured Variables leak secrets via artifact objects; recommendations include using dedicated secrets managers and code scanning.
• Millions of Secrets Exposed via Web Application Frontends - Millions of secrets exposed in web app frontends via JavaScript and debug pages.
• Publicly Exposed AWS Document DB Snapshots - Publicly exposed AWS DocumentDB snapshot of Cinemark Brazil revealed millions of customer records.
• [Thousands of images on Docker Hub leak auth secrets, private keys](https://www.bleepingcomputer.com/news/security/thousands-of-images-on-docker-hub-leak-auth-secrets-private-keys/) - Researchers found thousands of Docker Hub images leaking private keys and API secrets.

Initial Code Execution

• ActionsTOCTOU (Time Of Check to Time Of Use) - A tool to monitor for an approval event and then quickly replace a file in the PR head with a local file specified as a parameter.
• AWS Targeted by a Package Backfill Attack - Scan commit history for internal packages to execute dependency confusion.
• [Can you trust ChatGPT's package recommendations?](https://vulcan.io/blog/ai-hallucinations-package-risk) - Exploit generative AI platforms' tendency to generate non-existent coding libraries to execute Dependecy Confusion.
• Can You Trust Your VSCode Extensions? - Impersonate popular VSCode extensions and trick unknowing developers into downloading them.
• [Deep dive into Visual Studio Code extension security vulnerabilities](https://snyk.io/blog/visual-studio-code-extension-security-vulnerabilities-deep-dive/) - VS Code extensions have vulnerabilities (command injection, path traversal, zip slip) that can compromise developer machines.
• Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies - Researchers uploaded malicious packages with internal company names, gaining access to Apple, Microsoft, and others due to dependency confusion.
• [Dependency Confusions in Docker and remote pwning of your infra](https://www.errno.fr/DockerDependencyConfusion.html) - Docker dependency confusion occurs when a misconfigured Docker mirror pulls malicious public images instead of private ones.
• [Erosion of Trust: Unmasking Supply Chain Vulnerabilities in the Terraform Registry](https://boostsecurity.io/blog/erosion-of-trust-unmasking-supply-chain-vulnerabilities-in-the-terraform-registry) - Terraform modules are not protected by the Dependency Lock File, consequently, a seemingly harmless module could potentially introduce malicious code.
• Fixing typos and breaching microsoft's perimeter - Bypass GitHub workflow approval requirement by becoming a contributor.
• GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking - Millions of GitHub repos are vulnerable to RepoJacking due to org renames, leading to potential code execution.
• [Gitloker attacks abuse GitHub notifications to push malicious OAuth apps](https://www.bleepingcomputer.com/news/security/gitloker-attacks-abuse-github-notifications-to-push-malicious-oauth-apps/) - Attackers use fake GitHub notifications to trick users into authorizing malicious OAuth apps that steal repo access.
• [Hacking GitHub AWS integrations again](https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/) - Attacking misconfigured pipelines that use OIDC.
• How I hacked into Google's internal corporate assets - More ways to find dependencies in code for Dependency Confusion.
• How to completely own an airline in 3 easy steps - Misconfigured CI system accessible from the internet.
• How We Hacked a Software Supply Chain for $50K - Scraped JavaScript front-end files of the target and used ASTs to identify import/require statements which lead to discovering a public container with NPM credentials.
• [Introducing MavenGate: a supply chain attack method for Java and Android applications](https://blog.oversecured.com/Introducing-MavenGate-a-supply-chain-attack-method-for-Java-and-Android-applications/) - Many public and popular libraries that have long been abandoned are still being used in huge projects. Access to projects can be hijacked through domain name purchases.
• [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) - Combining pull_request_target workflow trigger with an explicit checkout of an untrusted PR may lead to repository compromise.
• [Keeping your GitHub Actions and workflows secure Part 2: Untrusted input](https://securitylab.github.com/research/github-actions-untrusted-input/) - GitHub Actions command injection.
• Malicious code analysis: Abusing SAST (mis)configurations to hack CI systems - Misconfigured SAST tools can be exploited to execute malicious code on CI systems, allowing attackers to steal credentials or deploy malicious artifacts.
• PPE — Poisoned Pipeline Execution - Poisoned Pipeline Execution (PPE) lets attackers run malicious code in a CI/CD system without direct access.
• Security alert: social engineering campaign targets technology industry employees - Phishing GitHub users to download and execute repositories.
• [The Monsters in Your Build Cache – GitHub Actions Cache Poisoning](https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/) - Allows attackers to compromise workflows even with limited permissions by exploiting vulnerabilities or dependency flaws, attackers steal cache tokens, fill the cache to force evictions, and replace legitimate entries with malicious code.
• Thousands of npm accounts use email addresses with expired domains - Maintainer Email hijacking.
• Understanding typosquatting methods - for a secure supply chain - Typosquatting involves publishing malicious packages with names similar to legitimate ones, exploiting typos to inject malicious code.
• [Vulnerable GitHub Actions Workflows Part 1: Privilege Escalation Inside Your CI/CD Pipeline](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability) - GitHub Actions workflow_run PE.
• [What the fork? Imposter commits in GitHub Actions and CI/CD](https://www.chainguard.dev/unchained/what-the-fork-imposter-commits-in-github-actions-and-ci-cd) - GitHub Actions vulnerability allows forked commits to bypass workflow security settings.
• whoAMI: A cloud image name confusion attack - Dependency Confusion using AWS AMIs.
• WordPress Plugin Confusion: How an update can get you pwned - Unclaimed WordPress plugins are vulnerable to takeover via the plugin directory.

Post Exploitation

• [From Self-Hosted GitHub Runner to Self-Hosted Backdoor](https://www.praetorian.com/blog/self-hosted-github-runners-are-backdoors/) - Attackers exploit misconfigured runners and weak PAT security to gain persistence, escalate privileges, and move laterally.

• [Hacking Terraform State for Privilege Escalation](https://blog.plerion.com/hacking-terraform-state-privilege-escalation/) - Modifying a Terraform state file allows attackers to delete infrastructure or execute code via custom providers.

• [Hijacking GitHub runners to compromise the organization](https://www.synacktiv.com/publications/hijacking-github-runners-to-compromise-the-organization) - Registering a GitHub runner with the ubuntu-latest tag grants access to jobs originally designated for GitHub-provisioned runners.

• How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects - Extracting all repository and organization secrets in GitHub Actions.

• [Invisible Ghost: Alarming Vulnerability in GitHub Copilot](https://www.apexhq.ai/blog/blog/invisible-ghost-alarming-vulnerability-in-github-copilot/) - Using hidden Unicode characters to manipulate GitHub Copilot's suggestions.

• [Leaking Secrets From GitHub Actions: Reading Files And Environment Variables, Intercepting Network/Process Communication, Dumping Memory](https://karimrahal.com/2023/01/05/github-actions-leaking-secrets/) - Leaking secrets from vulnerable GitHub Actions workflows is possible via several methods: reading files/environment variables, intercepting communication, and dumping runner memory.

• Living off the pipeline - Inventory how development tools (typically CLIs), have lesser-known RCE-By-Design features.

• Registering self-hosted CircleCI runner - Can be used to steal secrets of job executed on the malicious runner.

• [The GitHub Actions Worm: Compromising GitHub Repositories Through the Actions Dependency Tree](https://www.paloaltonetworks.com/blog/prisma-cloud/github-actions-worm-dependencies/) - A novel GitHub Actions worm exploits the action dependency tree. Attackers compromise an action, then infect dependent actions via branch pushes or tag overwrites, spreading malware recursively.

Defense Evasion

• #redteam tip: want to discretely extract credentials from a CI/CD pipeline? - Draft pull requests won't alert repository contributors, but will still trigger pipelines.
• Abusing Repository Webhooks to Access Internal CI/CD Systems at Scale - Repository webhooks, used to trigger CI/CD pipelines, can be abused to access internal systems.
• [Bypassing required reviews using GitHub Actions](https://medium.com/cider-sec/bypassing-required-reviews-using-github-actions-6e1b29135cc7) - GitHub Actions can bypass required reviews, allowing malicious code pushes to protected branches.
• Forging signed commits on GitHub - A bug in GitHub's API allowed forging signed commits. By exploiting a regex flaw in an internal Codespaces API endpoint, an attacker could create commits signed by any user, despite GitHub's web flow signature.
• GitHub comments abused to push malware via Microsoft repo URLs - Hidden GitHub comment link.
• [How a Single Vulnerability Can Bring Down the JavaScript Ecosystem](https://www.landh.tech/blog/20240603-npm-cache-poisoning/) - Cache poisoning attack on the NPM registry rendering packages unavailable.
• [One Supply Chain Attack to Rule Them All – Poisoning GitHub's Runner Images](https://adnanthekhan.com/2023/12/20/one-supply-chain-attack-to-rule-them-all/) - A critical vulnerability in GitHub Actions, involving a misconfigured self-hosted runner in the actions/runner-images repository, allowed potential compromise of all GitHub and Azure hosted runner images.
• PR sneaking - Methods of sneaking malicious code into GitHub pull requests.
• Remove evidence of malicious pull requests on GitHub - Changing account's email to block-listed domain, automatically bans the account.
• StarJacking – Making Your New Open Source Package Popular in a Snap - StarJacking is a technique where attackers make malicious open-source packages appear popular.
• The massive bug at the heart of the npm ecosystem - NPM Manifest Confusion.
• Trojan Source - Rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities.
• [Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows](https://www.paloaltonetworks.com/blog/prisma-cloud/unpinnable-actions-github-security/) - GitHub Actions, even when pinned to a commit SHA, can still pull in malicious code via mutable dependencies like Docker images, unlocked packages, or external scripts.
• [Why npm lockfiles can be a security blindspot for injecting malicious modules](https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/) - Malicious code can be injected into npm projects via lockfiles (package-lock.json or yarn.lock) because these large, machine-generated files are rarely reviewed thoroughly.
• Working as unexpected - Creating a GitHub branch that matches a branch protection rule pattern with a workflow file that triggers on push to gain access to environment secrets.
• [Zuckerpunch - Abusing Self Hosted GitHub Runners at Facebook](https://marcyoung.us/post/zuckerpunch/) - Hide commits in a GitHub PR.

Tools

• ADOKit - Azure DevOps Services Attack Toolkit.
• Gato - GitHub Attack Toolkit.
• Gato-X - GitHub Attack Toolkit - Extreme Edition.
• GH Archive - A project to record the public GitHub timeline, archive it, and make it easily accessible for further analysis.
• GHTorrent Project - A queryable offline mirror of the GitHub API data. Tutorial.
• git-dumper - Dump Git repository from a website.
• GitFive - OSINT tool to investigate GitHub profiles.
• Grep.app - Search GitHub using regex.
• Jenkins Attack Framework - This tool can manage Jenkins tasks, like listing jobs, dumping credentials, running commands/scripts, and managing API tokens.
• Nord Stream - A tool to extract secrets stored inside CI/CD environments.
• pwn_jenkins - Notes about attacking Jenkins servers.
• Secrets Patterns Database - The largest open-source database for detecting secrets, API keys, passwords, tokens, and more.
• Sourcegraph - A web-based code search and navigation tool for public repositories.
• Token-Spray - Automate token validation using Nuclei.
• zizmor - Static analysis for GitHub Actions.

Case Studies

• 10 real-world stories of how we've compromised CI/CD pipelines - Examples include exploiting S3 misconfigurations, Jenkins plugin flaws, GitLab runner privilege escalations, Kubernetes pod annotation vulnerabilities, and compromised developer laptops.
• GitHub Actions Attack Diagram - Includes public vulnerability research presented at Black Hat USA 2024 and DEF CON 32.
• Playing with Fire – How We Executed a Critical Supply Chain Attack on PyTorch - Researchers exploited a critical PyTorch vulnerability via a malicious pull request to execute code on self-hosted runners.

Similar Projects

• Common Threat Matrix for CI/CD Pipeline
• Open Software Supply Chain Attack Reference (OSC&R)
• Risk Explorer for Software Supply Chains
• SDLC Infrastructure Threat Framework (SITF) - A comprehensive framework for analyzing and defending against attacks targeting Software Development Life Cycle Infrastructure.