🔥 Advanced

CI/CD & Supply Chain Security

The software supply chain is the new frontier of offensive security. A single compromised build pipeline can grant access to thousands of downstream targets.

High-Impact Attack Surface

Supply chain attacks have caused some of the largest security breaches in history. SolarWinds compromised 18,000+ organizations including US government agencies. This is where elite adversaries operate.

Attack Surface Overview

👨‍💻

Developer

Phishing, credential theft

→

🔄

CI/CD Pipeline

Config injection, runner abuse

→

📦

Artifact

Backdoored binaries

⚠️ Compromise anywhere = Compromise everywhere downstream

Key Attack Techniques

🔓 Secret Extraction

Dumping CI/CD environment variables, stealing API keys, cloud credentials, and tokens from build logs.

💉 Pipeline Injection

Modifying build configs to execute arbitrary code during CI/CD runs (workflow files, Jenkinsfiles).

🏃 Runner Compromise

Attacking self-hosted runners for persistence, lateral movement into internal networks.

📦 Dependency Attacks

Typosquatting, dependency confusion, and package hijacking on NPM/PyPI/etc.

Learning Modules

🐙

GitHub Actions

Exploiting workflow misconfigurations, secret leakage, and runner attacks.

→

🔧

Jenkins & GitLab

Attacking CI/CD pipelines, Groovy script console, and runner abuse.

→

☠️

Dependency Poisoning

Supply chain attacks via NPM, PyPI, and internal package registries.

→

☁️

OIDC & Cloud CI/CD

Exploiting OIDC federation to steal AWS, GCP, and Azure credentials.

→

🐳

Container Registry

Poisoning Docker images, registry hijacking, and base image attacks.

→

🔑

Secrets Scanning

Finding leaked credentials in repos, logs, and artifacts.

→

🔷

Azure DevOps

Exploiting Azure Pipelines, variable groups, and service connections.

→

🔄

GitOps & ArgoCD

Attacking GitOps workflows for automatic K8s deployment of backdoors.

→

🏗️

IaC & Terraform

State file secrets, malicious modules, and provisioner RCE.

→

Real-World Supply Chain Attacks

These aren't theoretical. Study them.

Attack	Impact	Technique
SolarWinds (2020)	18,000+ organizations	Build system compromise, backdoor injection
Codecov (2021)	29,000+ customers	Bash uploader script modified to exfiltrate env vars
ua-parser-js (2021)	7M weekly downloads	NPM account takeover, crypto miner injection
Log4Shell (2021)	Millions of apps	Dependency vulnerability (not poisoning, but supply chain)
PyTorch (2022)	ML community	Dependency confusion on torchtriton
CircleCI (2023)	All customers	Session token theft, secrets exposed

Quick Recon

Find GitHub Actions workflow files

find . -path "*/.github/workflows/*.yml" -o -path "*/.github/workflows/*.yaml"

Search for hardcoded secrets in repos

trufflehog git https://github.com/target/repo --only-verified

Check NPM package for install scripts

npm pack <package> && tar -xzf *.tgz && cat package/package.json | jq '.scripts'

Essential Resources

📋

OWASP Top 10 CI/CD Risks

Industry standard framework for CI/CD security.

🛠️

PwnHub

GitHub Actions security research tools.