-
The Monsters in Your Build Cache – GitHub Actions Cache Poisoning
GitHub Actions caching has some insecure design decisions that allow for some unique attacks. It’s considered working as intended, but there are many ways it can go wrong. Learn how… Read more
-
An Obscure Actions Workflow Vulnerability in Google’s Flank
Learn about how I used a custom tool to find a Google-owned repository vulnerable to GitHub Actions Poisoned Pipeline Execution Attack and earned a $7,500 bug bounty! Read more
-
Web3’s Achilles’ Heel: A Supply Chain Attack on Astar Network
Web3 has a weakness, and that is CI/CD security. Learn how I responsibly disclosed a Critical vulnerability in Astar Network’s GitHub repository that would have allowed attackers to conduct a… Read more
-
CVE-2023-49291 and More – A Potential Actions Nightmare
I’ve been doing a lot of scanning and reporting of GitHub Actions injection and pwn request vulnerabilities throughout GitHub over the last year. Back in November, I discovered vulnerabilities in… Read more
-
One Supply Chain Attack to Rule Them All – Poisoning GitHub’s Runner Images
I successfully exploited a critical misconfiguration vulnerability in GitHub’s actions/runner images repository. I gained control over build agents used by the repository, accessed secrets, and showed how an attacker could… Read more
-
Welcome to my blog – there is more to come!
I’ve been quite busy with hacking in my spare time, and most of my time has been dedicated to hacking, and most of my writing time has been allocated to… Read more
Welcome to my blog!
I’m Adnan, a security engineer and researcher who likes learning about new ways to break software. My current focus has been CI/CD security and software supply chain attacks targeting GitHub repositories.
This blog will host some of my writings and sometimes rants about my research and findings.
Adnan Khan's Blog 