Awesome CI/CD Attacks

Offensive research of systems and processes related to developing and deploying code.Contents

Publicly Exposed Sensitive Data

Initial Code Execution

Post Exploitation

TechniquesA curated list of unique and useful CI/CD attack techniques.Publicly Exposed Sensitive Data

(The) Postman Carries Lots of Secrets - Postman's public API network leaks thousands of secrets due to confusing UI, forks, and insufficient secret scanning.

All the Small Things: Azure CLI Leakage and Problematic Usage Patterns - Azure CLI leaks secrets to CI/CD logs due to usage patterns.

Anyone can Access Deleted and Private Repository Data on GitHub - As long as it's part of a fork network.

Beyond S3: Exposed Resources on AWS - Public EBS, RDS, AMI and Elasticsearch clusters exposed to the internet.

CloudQuarry: Digging for secrets in public AMIs - Researchers found 500GB of credentials, private repos, and keys in public AWS AMIs, impacting various industries.

Employee Personal GitHub Repos Expose Internal Azure and Red Hat Secrets - Employee's personal GitHub repos expose internal Azure & Red Hat secrets.

Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries - Misconfigured public registries with software artifacts containing sensitive proprietary code and secrets.

GitLab Secrets - A tool that can reveal deleted GitLab commits that potentially contain sensitive information and are not accessible via the public Git history.

Hidden GitHub Commits and How to Reveal Them - A tool that can reveal deleted GitHub commits that potentially contain sensitive information and are not accessible via the public Git history.

Holes in Your Bitbucket: Why Your CI/CD Pipeline Is Leaking Secrets - Bitbucket Secured Variables leak secrets via artifact objects; recommendations include using dedicated secrets managers and code scanning.

Millions of Secrets Exposed via Web Application Frontends - Millions of secrets exposed in web app frontends via JavaScript and debug pages.

Publicly Exposed AWS Document DB Snapshots - Publicly exposed AWS DocumentDB snapshot of Cinemark Brazil revealed millions of customer records.

Thousands of images on Docker Hub leak auth secrets, private keys - Researchers found thousands of Docker Hub images leaking private keys and API secrets.

Initial Code Execution

ActionsTOCTOU (Time Of Check to Time Of Use) - A tool to monitor for an approval event and then quickly replace a file in the PR head with a local file specified as a parameter.

AWS Targeted by a Package Backfill Attack - Scan commit history for internal packages to execute dependency confusion.

Can you trust ChatGPT's package recommendations? - Exploit generative AI platforms' tendency to generate non-existent coding libraries to execute Dependecy Confusion.

Can You Trust Your VSCode Extensions? - Impersonate popular VSCode extensions and trick unknowing developers into downloading them.

Deep dive into Visual Studio Code extension security vulnerabilities - VS Code extensions have vulnerabilities (command injection, path traversal, zip slip) that can compromise developer machines.

Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies - Researchers uploaded malicious packages with internal company names, gaining access to Apple, Microsoft, and others due to dependency confusion.

Awesome CI/CD Attacks

Offensive research of systems and processes related to developing and deploying code.

Techniques
Publicly Exposed Sensitive Data
Initial Code Execution
Post Exploitation
Defense Evasion
Tools
Case Studies
Similar Projects

Techniques

A curated list of unique and useful CI/CD attack techniques.

Publicly Exposed Sensitive Data

(The) Postman Carries Lots of Secrets - Postman's public API network leaks thousands of secrets due to confusing UI, forks, and insufficient secret scanning.
All the Small Things: Azure CLI Leakage and Problematic Usage Patterns - Azure CLI leaks secrets to CI/CD logs due to usage patterns.
Anyone can Access Deleted and Private Repository Data on GitHub - As long as it's part of a fork network.
Beyond S3: Exposed Resources on AWS - Public EBS, RDS, AMI and Elasticsearch clusters exposed to the internet.
CloudQuarry: Digging for secrets in public AMIs - Researchers found 500GB of credentials, private repos, and keys in public AWS AMIs, impacting various industries.
Employee Personal GitHub Repos Expose Internal Azure and Red Hat Secrets - Employee's personal GitHub repos expose internal Azure & Red Hat secrets.
Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries - Misconfigured public registries with software artifacts containing sensitive proprietary code and secrets.
GitLab Secrets - A tool that can reveal deleted GitLab commits that potentially contain sensitive information and are not accessible via the public Git history.
Hidden GitHub Commits and How to Reveal Them - A tool that can reveal deleted GitHub commits that potentially contain sensitive information and are not accessible via the public Git history.
Holes in Your Bitbucket: Why Your CI/CD Pipeline Is Leaking Secrets - Bitbucket Secured Variables leak secrets via artifact objects; recommendations include using dedicated secrets managers and code scanning.
Millions of Secrets Exposed via Web Application Frontends - Millions of secrets exposed in web app frontends via JavaScript and debug pages.
Publicly Exposed AWS Document DB Snapshots - Publicly exposed AWS DocumentDB snapshot of Cinemark Brazil revealed millions of customer records.
Thousands of images on Docker Hub leak auth secrets, private keys - Researchers found thousands of Docker Hub images leaking private keys and API secrets.

Initial Code Execution

ActionsTOCTOU (Time Of Check to Time Of Use) - A tool to monitor for an approval event and then quickly replace a file in the PR head with a local file specified as a parameter.
AWS Targeted by a Package Backfill Attack - Scan commit history for internal packages to execute dependency confusion.
Can you trust ChatGPT's package recommendations? - Exploit generative AI platforms' tendency to generate non-existent coding libraries to execute Dependecy Confusion.
Can You Trust Your VSCode Extensions? - Impersonate popular VSCode extensions and trick unknowing developers into downloading them.
Deep dive into Visual Studio Code extension security vulnerabilities - VS Code extensions have vulnerabilities (command injection, path traversal, zip slip) that can compromise developer machines.
Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies - Researchers uploaded malicious packages with internal company names, gaining access to Apple, Microsoft, and others due to dependency confusion.