Posts

Preface Let’s think for a moment what a nightmare supply chain attack could be. An attack that would be so impactful that it could be chained to target almost every company in the world. For an attacker to carry out such an attack they would need to insert themselves into a component fundamental to building the largest open-source software projects on the Internet. What would an attacker need to target in order to carry out this attack? Cloud infrastructure would certainly qualify. What about build agents? Those would certainly be impactful, and SolarWinds put that attack on the map. If an attacker wanted more, the attacker would instead need to target SaaS companies providing hosted build services. Services like GitLab CI, TravisCI, CircleCI, BuildKite, and GitHub Actions fall within this category. ...

I’ve been quite busy with hacking in my spare time, and most of my time has been dedicated to hacking, and most of my writing time has been allocated to reports. Now that I’m allowed to talk about some of my most impressive hacks I plan to post detailed writeups here so that the security community can be on the lookout for these kinds of attacks. The most significant vulnerability I reported was one that provided a path to backdoor the GitHub Actions runner images used for hosted builds on GitHub.com. After a long wait, GitHub resolved the report at the Critical severity and paid out a $20,000 bounty. ...