CI/CD Security: Supply chain attack from a compromised developer

In modern DevOps environments, CI/CD pipelines automate code development, testing, and deployment, enabling rapid delivery and scalability while significantly expanding the attack surface.

CI/CD audits conducted in 2025 and 2026 revealed that credentials leaked in repositories, misconfigured runners, insecure artifact stores, and overly permissive cloud roles are all vectors attackers can chain to gain persistent, high-privilege access across the entire infrastructure.

A high-level overview of DevOps tooling is illustrated below:

Tools with multiple uses and functions for DevOps
Tools with multiple uses and functions for DevOps

A compromise at any stage of the pipeline can provide a path toward more sensitive systems.

DevOps tools that can become a faster way for attackers to obtain a high privilege access on the IS
DevOps tools that can become a faster way for attackers to obtain a high privilege access on the IS

This article walks through a representative CI/CD attack kill chain based on observed real-world patterns, highlighting the most commonly exploited vectors and the key hardening measures to reduce the attack surface at every stage of the pipeline, from source code to production deployment.

 

The Kill Chain: from reconnaissance to persistence

Reconnaissance and Initial Access

The kill chain typically begins with a phishing targeting developers to harvest credentials and MFA codes, though MFA itself can be bypassed through token hijacking or session theft.

Successful phishing attack
Successful phishing attack

It should be noted that credential compromise alone is not always sufficient to directly access sensitive administrative portals. Security controls protecting Microsoft 365 administrative interfaces have been strengthened through the implementation of MFA and, where applicable, Conditional Access policies, limiting the impact of phishing on highly privileged access.

However, in modern enterprise environments where most business applications rely on Single Sign-On (SSO), the compromise of a Microsoft session (e.g., through session cookie theft) can provide attackers with access to a wide range of interconnected services, including code repositories and CI/CD platforms. Attackers typically use this initial foothold to identify development environments and establish persistence through mechanisms such as Personal Access Tokens (PATs).

A common but often overlooked risk arises when user accounts are disabled at the identity provider level (e.g., Entra ID) but not fully deprovisioned within repository platforms. In such cases, previously issued PATs may remain valid, allowing attackers to retain repository access despite account revocation.

Additional entry points include the exploitation of known CVEs and poor credential hygiene. Many major vulnerabilities in DevOps tools are regularly discovered, highlighting the need for continuous vulnerability management. Exploiting a critical vulnerability can directly provide privileged access to a tool in the chain.

Examples include:

  • CVE-2024-23897 (Jenkins), which allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system, leading to exposure of sensitive secrets,
  • CVE-2023-7028 (GitLab), in which user account password reset emails could be delivered to an unverified email address,
  • CVE-2023-36561 (Azure DevOps Server), an elevation of privilege vulnerability allowing attackers to gain unauthorized access to functionalities within Azure DevOps Server, with potential impact on pipelines, secrets, and project-level resources.

 

REMEDIATION – Strengthen Access Controls for Source Code Repository

To mitigate initial access risks, organizations should implement controls to prevent unauthorized access, detect persistence, and enforce strong identity governance.

Enforce confidential access policies and network exposure

  • Avoid the use of generic or shared accounts,
  • Use dedicated developer identities separated from standard productivity (email and office) accounts to reduce exposure to phishing attacks and limit the impact of credential compromise in CI/CD environments.
  • Enforce phishing-resistant MFA mechanisms (FIDO2 keys, certificate, etc.),
  • Implement Conditional Access policies to restrict access based on contextual factors such as network location and device compliance.

Implement mechanisms to detect persistence attempts

  • Implement monitoring mechanisms to detect suspicious creation or usage of PATs in GitLab, anomalous activities such as deployments occurring at unusual times, etc.
  • Monitor the addition of new authentication methods in Entra ID, as a potential sign of compromise, particularly passwordless ones, after a phishing event.

Recertify all accesses periodically and remediate unused accounts

  • Disable or remove unused or inactive accounts,
  • Revoke access for offboarded employees across all systems,
  • Conduct periodic access reviews, at least every six months for high-risk users.

 

Code Repository and Pipeline Compromise

Source code repositories are often directly integrated with CI/CD pipelines, meaning that changes to the codebase can automatically trigger build and deployment processes. As a result, compromising a developer account can influence how applications are built and deployed.

To reduce the risk of unauthorized changes reaching production, organizations typically protect production branches (e.g., main or master) through pull requests, approvals, and automated validation checks. In contrast, development branches are generally less strictly controlled to support faster development and testing.

In the observed scenario, the attacker targets the development branch and modifies the pipeline configuration file (gitlab-ci.yml), injecting a malicious command (aimed at establishing remote access) into an existing job. When the pipeline is executed, this command runs on the CI/CD runner, allowing the attacker to gain remote access to it.

Code repository manipulation
Code repository manipulation

As part of the compromised CI/CD environment credentials, the attacker gains access to a Nexus token, which is an artifact management system, used to store and distribute trusted build artifacts consumed by downstream pipelines.

 

REMEDIATION – Harden Code Repository Security Controls

Securing the code repository is essential to prevent attackers from abusing CI/CD pipelines after initial access, as repositories directly control how code is built and deployed.

Harden code repository to limit pipeline triggers

  • Configure protected branches on the branches used for deployment,
  • Set up multi-level approval workflows on merge requests that trigger pipelines and disable self-approval,
  • Use code ownership to assign and require approval from designated owners on sensitive files (e.g. CI/CD job configuration).

Limit project visibility and permissions

  • Limit writing permissions to only those who require them for their role,
  • Restrict project visibility based on the need-to-know principle, using internal or private (preferred) visibility.

Establish proper secret management hygiene

  • Configure scoped CI/CD secrets the project level and prefer ephemeral credentials whenever possible,
  • Detect secrets in clear text as early as possible (at commit time or before code is pushed) and revoke immediately if exposed,
  • Conduct periodic reviews (e.g., internal audits or red team exercises) across platforms such as Git repositories, Jira, or Confluence to help identify previously undetected leaks.

 

REMEDIATION – Strengthen Self-Hosted Runner Security Controls

Runners are critical components of CI/CD pipelines, as they execute code and handle sensitive data. If compromised, they can be used to move laterally, access secrets, or take control of the environment.

Restrict network exposure and execution scope

  • Restrict runner network traffic to only what is required for pipeline execution, and enforce network controls such as proxies and segmentation to prevent unrestricted internet access and limit lateral movement within internal networks.
  • Restrict pipeline triggers from untrusted or personal repositories.

Treat runners as sensitive systems

  • Treat runners as critical servers (regular OS patching and hardening),
  • Deploy Endpoint Detection and Response (EDR) solutions for process monitoring, including within containerized environments.

Use dedicated and ephemeral runners

  • Prefer dedicated runners per project or environment. Sharing runners across multiple contexts increases the risk of cross-project contamination and privilege escalation,
  • Use ephemeral / autoscaling runners that are destroyed after each job,
  • Ensure VM-based runners are also ephemeral and isolated to ensure no residual data or access persists between executions. In addition, rely only on hardened and trusted base images (e.g. golden images for VM-based runners and approved container images), to prevent execution in compromised or unverified environments.

Secure container-based runners

  • Allow only approved and trusted images in pipeline executions to prevent the introduction of malicious code through compromised or unverified images,
  • Apply least privilege in container runtime environments,
  • Avoid privileged mode and drop unnecessary Linux capabilities,
  • Use secure build engines (BuildKit / Buildah) when Docker-in-Docker is required

Harden Cloud-based runners

  • When using cloud-managed runners, enforce isolation and identity scoping, restrict metadata access to prevent credential exposure from underlying infrastructure, and ensure CI/CD roles are governed by strict least-privilege IAM policies to avoid excessive permissions.

 

Artifact Poisoning and Dependency Attacks

In software delivery environments, artifact management systems store and distribute outputs generated by CI/CD pipelines. These outputs, known as artifacts, represent the packaged results of the build process, such as compiled binaries, application packages, or deployment images.

Artifacts are stored centrally to ensure versioning, traceability, and reuse across multiple pipelines. In addition to application-specific outputs, these repositories often also host shared components such as golden images, reusable libraries, or common runtime dependencies. Because they originate from trusted build processes, artifacts are typically assumed to be safe and are widely consumed by downstream pipelines without additional validation.

In the observed scenario, the attacker uses previously obtained credentials to authenticate to the artifact repository (Nexus in this example) with excessive permissions (read/write across multiple categories, rather than being limited to a single application scope), and gains access to both production-grade and shared artifacts.

Among these, the attacker identifies a legitimate Terraform binary used within the infrastructure deployment process (referred to as the tofu binary), which is commonly trusted and consumed by downstream CI/CD pipelines to provision and manage cloud resources.

Legitimate binary used for infrastructure deployment
Legitimate binary used for infrastructure deployment

The attacker downloads this artifact locally and modifies its contents by injecting malicious logic while preserving its original functionality, and embeds hidden behavior designed to interact with AWS Identity and Access Management (IAM) and AWS Security Token Service (STS) services to retrieve credentials.

AWS IAM and STS credential handling logic within the Terraform malicious binary
AWS IAM and STS credential handling logic within the Terraform malicious binary

The modified binary is then reuploaded to Nexus, replacing the legitimate version with a poisoned artifact.

Uploading the malicious binary
Uploading the malicious binary

From this point onward, any CI/CD pipeline consuming the artifact automatically retrieves the compromised binary as part of its dependency resolution, as it’s still considered trusted.

Malicious binary successfully downloaded from Nexus
Malicious binary successfully downloaded from Nexus

Upon execution, the poisoned binary activates the embedded malicious payload, which is designated to retrieve the AWS access token used by the Terraform execution context and send it to the attacker-controlled server for exfiltration. It then generates an obfuscated output encoded in Base32. Decoding allows reconstruction of a JSON object containing AWS credentials (AccessKeyId, SecretAccessKey, and SessionToken).

Base32-decoded payload revealing AWS credentials after executing the malicious Terraform binary
Base32-decoded payload revealing AWS credentials after executing the malicious Terraform binary

The attacker configures these credentials locally and uses AWS STS (GetCallerIdentity API call) to confirm identity impersonation of the CI/CD runner. 

AWS access
AWS access

This illustration shows the attack chain: artifact compromise, injection of malicious logic, propagation through CI/CD pipelines, and eventual AWS credential theft leading environment compromise.

Artifactory compromise - dependency poisoning
Artifactory compromise – dependency poisoning

As a result, the attacker gains unauthorized access to AWS resources under the guise of a legitimate identity.

 

REMEDIATION – Improve Artifactory Access Management Controls

Artifact repositories such as Nexus are key CI/CD components used to store and distribute build dependencies and artifacts. They are high-value targets for supply chain attacks.

Security requires strong access control, dependency governance, and continuous integrity monitoring.

Harden the artifact repository platform

  • Allow wide read on repository only at two conditions: from needed service (CICD) and if password management in dependency exist,
  • Highly restrict writing permission,
  • Change default

Perform Software Composition Analysis (SCA)

  • Apply Software Composition Analysis to both internal dependencies (stored in local repositories) and external ones (retrieved from remote or proxy repositories) to detect known vulnerabilities and outdated components.

Restrict artifact sources

  • Maintain a whitelist of trusted repositories to ensure only approved sources are used,
  • Enforce repository-level controls to exclude unapproved or vulnerable versions, for example in Nexus, or through exclusion rules in JFrog Artifactory,
  • Prevent CI/CD pipelines from accessing untrusted external sources by enforcing strict repository boundaries.

 

Cloud Compromise via CI/CD Workload Abuse

In cloud environments, CI/CD runners are typically assigned privileged IAM roles to perform deployment operations, including creating, modifying, and deleting infrastructure resources. These roles often include broad permissions such as AdministratorAccess or overly permissive custom policies, enabling the runner to interact with a wide range of AWS services including compute, storage, and identity management.

When a CI/CD runner is compromised, an attacker can directly abuse these privileges without requiring further escalation. This can lead to immediate access to sensitive resources such as S3 buckets or RDS databases, enabling data exfiltration. The attacker may also leverage IAM permissions to assume additional roles across other AWS accounts or projects, facilitating lateral movement within the organization. In addition, access to compute-related services can be abused to deploy, modify, or persist malicious workloads, ultimately resulting in a full compromise of the cloud environment.

From developer compromise to Cloud takeover: full CI/CD attack path overview

The CI/CD attack chain starts with the initial compromise of a developer and ends with the full takeover of the cloud environment.

The following illustration highlights key detection and monitoring opportunities across the CI/CD ecosystem. It shows how security telemetry can be collected and correlated throughout the different stages of the CI/CD attack chain, from development activities to CI/CD runners, artifact repositories, and cloud IAM operations.

Kill chain - Detection
Kill chain – Detection

Overall, although CI/CD pipelines significantly expand the attack surface, they also provide multiple strategic interception points where centralized logging and security monitoring can enable early detection and response to malicious activity.

 

In conclusion, to achieve a secure CI/CD pipeline, security must be considered end-to-end, from developers’ environments to production systems.

Developers are the first link in the chain, and securing their accounts is essential. This should be supported by good practices such as secure secret management and regular security awareness.

It’s also important to ensure proper isolation between environments and to enforce strict least privilege for both users and service accounts.

Security issues cannot be fixed by small patches if the overall pipeline design is weak.

Finally, deployment use cases should be clearly defined from the start, as they directly drive the architecture and IAM design choices.

Beyond these technical measures, CI/CD security must be continuously assessed through regular technical audits as well as organizational reviews of the development lifecycle to ensure risks remain under control as the environment evolves.

For a broader perspective and higher-level recommendations on positioning CI/CD as a cornerstone of the information system, see the RiskInsight article: “CI/CD: the new cornerstone of the information system”.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top