Novel CI/CD attack could prompt widespread supply chain compromise

Significant supply chain compromise could be conducted against major IT and cryptocurrency organizations through a novel continuous integration/continuous delivery attack technique exploiting thousands of public GitHub repositories with malicious code injection issues, SecurityWeek reports. Threat actors could deploy such an attack against repositories with self-hosted runners by leveraging a fork pull request to become a contributor, enabling runner workflow execution without approval and additional code execution, a report by Praetorian security researcher Adnan Khan showed.

Source: SC Magazine

 


Date:

Categorie(s):