Adnan Khan's Security Research BlogSecurity research focused on CI/CD vulnerabilities, software supply chain attacks, and developer tooling security.https://adnanthekhan.com/en-usTurning Almost Nothing into a Supply Chain Compromise of Angular with GitHub Actions Cache Poisoninghttps://adnanthekhan.com/posts/angular-compromise-through-dev-infra/https://adnanthekhan.com/posts/angular-compromise-through-dev-infra/Tue, 03 Mar 2026 00:00:00 GMTcache-poisoninggithubactionsbugbountyadnanthekhanClinejection — Compromising Cline's Production Releases just by Prompting an Issue Triagerhttps://adnanthekhan.com/posts/clinejection/https://adnanthekhan.com/posts/clinejection/Mon, 09 Feb 2026 09:00:00 GMTcicdgithubactionscache-poisoningaiadnanthekhanCopilot or Coconspirator - Tricking GitHub Copilot and Stealing all Your Secretshttps://adnanthekhan.com/posts/copilot-or-co-conspirator/https://adnanthekhan.com/posts/copilot-or-co-conspirator/Wed, 07 Jan 2026 00:00:00 GMTcicdaigithubbugbountyadnanthekhanWho's SHA is it Anyway: Bypassing Google Cloud Build Comment Control for $30,000https://adnanthekhan.com/posts/cloud-build-toctou/https://adnanthekhan.com/posts/cloud-build-toctou/Mon, 21 Jul 2025 10:00:00 GMTcicdbugbountyadnanthekhanWatch your Dispatch: Race Condition in Dependabot Core CIhttps://adnanthekhan.com/posts/dependabot-core-toctou-writeup/https://adnanthekhan.com/posts/dependabot-core-toctou-writeup/Fri, 02 May 2025 18:00:00 GMTbugbountycicdgithubadnanthekhan(Not So) Safe{Wallet}: GitHub Actions Risks Impacting Safe''s Frontendhttps://adnanthekhan.com/2025/02/27/not-so-safewallet-github-actions-risks-impacting-safes-frontend/https://adnanthekhan.com/2025/02/27/not-so-safewallet-github-actions-risks-impacting-safes-frontend/Thu, 27 Feb 2025 23:59:48 GMTcicdgithubactionssecuritysupplychaingithubweb3adnanthekhanCacheract: The Monster in your Build Cachehttps://adnanthekhan.com/2024/12/21/cacheract-the-monster-in-your-build-cache/https://adnanthekhan.com/2024/12/21/cacheract-the-monster-in-your-build-cache/In this post, I demonstrate Cacheract, which is an open source proof-of-concept for 'Cache Native Malware' that exploits GitHub Actions cache misconfigurations.Sun, 22 Dec 2024 00:02:52 GMTcicdgithubactionssecuritysupplychainadnanthekhanRelease-Drafter To google/accompanist Compromise: VRP Writeuphttps://adnanthekhan.com/2024/11/11/release-drafter-to-google-accompanist-compromise-vrp-writeup/https://adnanthekhan.com/2024/11/11/release-drafter-to-google-accompanist-compromise-vrp-writeup/Tue, 12 Nov 2024 02:35:40 GMTbugbountycicdgithubactionssecuritygithubadnanthekhanBlackHat 2024 and DEF CON 32 Previewhttps://adnanthekhan.com/2024/07/30/blackhat-2024-and-def-con-32-preview/https://adnanthekhan.com/2024/07/30/blackhat-2024-and-def-con-32-preview/Tue, 30 Jul 2024 13:00:00 GMTbugbountygithubgithubactionssecuritydevopsgithub-actionsadnanthekhanRoguePuppet - A Critical Puppet Forge Supply Chain Vulnerabilityhttps://adnanthekhan.com/2024/07/02/roguepuppet-a-critical-puppet-forge-supply-chain-vulnerability/https://adnanthekhan.com/2024/07/02/roguepuppet-a-critical-puppet-forge-supply-chain-vulnerability/Tue, 02 Jul 2024 09:57:09 GMTcicdgithubactionssecuritysupplychaingithubgithub-actionsadnanthekhanThe Monsters in Your Build Cache - GitHub Actions Cache Poisoninghttps://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/https://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/Mon, 06 May 2024 09:41:00 GMTbugbountycicdgithubsupplychaindevopsgithub-actionsadnanthekhanAn Obscure Actions Workflow Vulnerability in Google's Flankhttps://adnanthekhan.com/2024/04/15/an-obscure-actions-workflow-vulnerability-in-googles-flank/https://adnanthekhan.com/2024/04/15/an-obscure-actions-workflow-vulnerability-in-googles-flank/Mon, 15 Apr 2024 14:00:00 GMTbugbountycicdgithubsecuritysupplychainadnanthekhanWeb3''s Achilles'' Heel: A Supply Chain Attack on Astar Networkhttps://adnanthekhan.com/2024/01/19/web3s-achilles-heel-a-supply-chain-attack-on-astar-network/https://adnanthekhan.com/2024/01/19/web3s-achilles-heel-a-supply-chain-attack-on-astar-network/Fri, 19 Jan 2024 22:09:11 GMTbugbountycicdgithubsecuritysupplychainastarcryptodefiweb3adnanthekhanCVE-2023-49291 and More - A Potential Actions Nightmarehttps://adnanthekhan.com/2024/01/10/cve-2023-49291-and-more-a-potential-actions-nightmare/https://adnanthekhan.com/2024/01/10/cve-2023-49291-and-more-a-potential-actions-nightmare/Thu, 11 Jan 2024 02:37:44 GMTcicdgithubsecuritysupplychaincveadnanthekhanOne Supply Chain Attack to Rule Them All - Poisoning GitHub's Runner Imageshttps://adnanthekhan.com/2023/12/20/one-supply-chain-attack-to-rule-them-all/https://adnanthekhan.com/2023/12/20/one-supply-chain-attack-to-rule-them-all/Wed, 20 Dec 2023 20:37:53 GMTbugbountycicdgithubsecuritysupplychainadnanthekhanWelcome to my blog - there is more to come!https://adnanthekhan.com/2023/12/16/welcome-to-my-blog-there-is-more-to-come/https://adnanthekhan.com/2023/12/16/welcome-to-my-blog-there-is-more-to-come/Sat, 16 Dec 2023 18:05:08 GMTbugbountycicdsecurityadnanthekhan