{"id":30390,"date":"2026-07-08T08:55:12","date_gmt":"2026-07-08T07:55:12","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=30390"},"modified":"2026-07-08T08:55:14","modified_gmt":"2026-07-08T07:55:14","slug":"ci-cd-security-supply-chain-attack-from-a-compromised-developer","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/","title":{"rendered":"CI\/CD Security: Supply chain attack from a compromised developer"},"content":{"rendered":"\n<p style=\"text-align: justify;\">In modern <strong>DevOps environments<\/strong>, <strong>CI\/CD pipelines<\/strong> automate code development, testing, and deployment, enabling rapid delivery and scalability while significantly expanding the attack surface.<\/p>\n<p style=\"text-align: justify;\">CI\/CD audits conducted in 2025 and 2026 revealed that<strong> credentials leaked<\/strong> in repositories, <strong>misconfigured runners<\/strong>, <strong>insecure artifact stores<\/strong>, and <strong>overly permissive cloud roles<\/strong> are all vectors attackers can chain to gain persistent, high-privilege access across the entire infrastructure.<\/p>\n<p style=\"text-align: justify;\">A high-level overview of DevOps tooling is illustrated below:<\/p>\n<figure id=\"attachment_30393\" aria-describedby=\"caption-attachment-30393\" style=\"width: 911px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-30393\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/1-Tools-with-multiple-uses-and-functions-for-DevOps.png\" alt=\"Tools with multiple uses and functions for DevOps\" width=\"911\" height=\"422\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/1-Tools-with-multiple-uses-and-functions-for-DevOps.png 911w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/1-Tools-with-multiple-uses-and-functions-for-DevOps-412x191.png 412w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/1-Tools-with-multiple-uses-and-functions-for-DevOps-71x33.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/1-Tools-with-multiple-uses-and-functions-for-DevOps-768x356.png 768w\" sizes=\"auto, (max-width: 911px) 100vw, 911px\" \/><figcaption id=\"caption-attachment-30393\" class=\"wp-caption-text\">Tools with multiple uses and functions for DevOps<\/figcaption><\/figure>\n<p style=\"text-align: justify;\">A compromise at any stage of the pipeline can provide a path toward more sensitive systems.<\/p>\n<figure id=\"attachment_30395\" aria-describedby=\"caption-attachment-30395\" style=\"width: 911px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-30395\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/2-DevOps-tools-that-can-become-a-faster-way-for-attackers-to-obtain-a-high-privilege-access-on-the-IS.png\" alt=\"DevOps tools that can become a faster way for attackers to obtain a high privilege access on the IS\" width=\"911\" height=\"380\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/2-DevOps-tools-that-can-become-a-faster-way-for-attackers-to-obtain-a-high-privilege-access-on-the-IS.png 911w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/2-DevOps-tools-that-can-become-a-faster-way-for-attackers-to-obtain-a-high-privilege-access-on-the-IS-437x182.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/2-DevOps-tools-that-can-become-a-faster-way-for-attackers-to-obtain-a-high-privilege-access-on-the-IS-71x30.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/2-DevOps-tools-that-can-become-a-faster-way-for-attackers-to-obtain-a-high-privilege-access-on-the-IS-768x320.png 768w\" sizes=\"auto, (max-width: 911px) 100vw, 911px\" \/><figcaption id=\"caption-attachment-30395\" class=\"wp-caption-text\">DevOps tools that can become a faster way for attackers to obtain a high privilege access on the IS<\/figcaption><\/figure>\n<p style=\"text-align: justify;\">This article walks through a representative <strong>CI\/CD attack kill chain based on observed real-world patterns<\/strong>, highlighting the most commonly exploited vectors and the key hardening measures to reduce the attack surface at every stage of the pipeline, from source code to production deployment.<\/p>\n<p>\u00a0<\/p>\n<h2>The Kill Chain: from reconnaissance to persistence<\/h2>\n<h3>Reconnaissance and Initial Access<\/h3>\n<p style=\"text-align: justify;\">The kill chain typically begins with <strong>a phishing targeting developers<\/strong> to <strong>harvest credentials and MFA codes<\/strong>, though MFA itself can be bypassed through token hijacking or session theft.<\/p>\n<figure id=\"attachment_30397\" aria-describedby=\"caption-attachment-30397\" style=\"width: 911px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-30397\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/3-Successful-phishing-attack.png\" alt=\"Successful phishing attack\" width=\"911\" height=\"479\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/3-Successful-phishing-attack.png 911w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/3-Successful-phishing-attack-363x191.png 363w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/3-Successful-phishing-attack-71x37.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/3-Successful-phishing-attack-768x404.png 768w\" sizes=\"auto, (max-width: 911px) 100vw, 911px\" \/><figcaption id=\"caption-attachment-30397\" class=\"wp-caption-text\">Successful phishing attack<\/figcaption><\/figure>\n<p style=\"text-align: justify;\">It should be noted that <strong>credential compromise alone is not always sufficient<\/strong> to directly access sensitive administrative portals. <strong>Security controls protecting Microsoft 365<\/strong> administrative interfaces have been strengthened through the implementation of MFA and, where applicable, Conditional Access policies, limiting the impact of phishing on highly privileged access.<\/p>\n<p style=\"text-align: justify;\">However, in <strong>modern enterprise environments<\/strong> where <strong>most business applications<\/strong> <strong>rely on Single Sign-On (SSO),<\/strong> the compromise of a Microsoft session (e.g., through session cookie theft) can provide attackers with access to a wide range of interconnected services, including code repositories and CI\/CD platforms. Attackers typically use this initial foothold to identify development environments and <strong>establish persistence<\/strong> through mechanisms such as <strong>Personal Access Tokens (PATs).<\/strong><\/p>\n<p style=\"text-align: justify;\">A common but often overlooked risk arises when <strong>user accounts are disabled<\/strong> at the identity provider level (e.g., <strong>Entra ID<\/strong>) but <strong>not fully deprovisioned<\/strong> within repository platforms. In such cases, <strong>previously issued PATs<\/strong> may remain valid, allowing attackers to retain repository access despite account revocation.<\/p>\n<p style=\"text-align: justify;\">Additional entry points include the <strong>exploitation of known CVEs<\/strong> and poor credential hygiene. Many major vulnerabilities in DevOps tools are regularly discovered, highlighting the need for continuous vulnerability management. Exploiting a <strong>critical<\/strong> <strong>vulnerability<\/strong> can <strong>directly<\/strong> provide <strong>privileged<\/strong> <strong>access<\/strong> to a <strong>tool in the chain.<\/strong><\/p>\n<p style=\"text-align: justify;\">Examples include:<\/p>\n<ul>\n<li style=\"text-align: justify;\"><span style=\"color: #808080;\"><a style=\"color: #808080;\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2024-23897\"><strong>CVE-2024-23897<\/strong><\/a><\/span><strong> (Jenkins)<\/strong>, which allows unauthenticated attackers to read arbitrary files on the Jenkins controller file system, leading to exposure of sensitive secrets,<\/li>\n<li style=\"text-align: justify;\"><span style=\"color: #808080;\"><a style=\"color: #808080;\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2023-7028\"><strong>CVE-2023-7028<\/strong><\/a><\/span><strong> (GitLab)<\/strong>, in which user account password reset emails could be delivered to an unverified email address,<\/li>\n<li style=\"text-align: justify;\"><span style=\"color: #808080;\"><a style=\"color: #808080;\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2023-36561\"><strong>CVE-2023-36561<\/strong><\/a><\/span><strong> (Azure DevOps Server)<\/strong>, an elevation of privilege vulnerability allowing attackers to gain unauthorized access to functionalities within Azure DevOps Server, with potential impact on pipelines, secrets, and project-level resources.<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p style=\"text-align: justify;\"><strong><u>REMEDIATION \u2013 Strengthen Access Controls for Source Code Repository<\/u><\/strong><\/p>\n<p style=\"text-align: justify;\">To mitigate initial access risks, organizations should implement controls to prevent unauthorized access, detect persistence, and enforce strong identity governance.<\/p>\n<p style=\"text-align: justify;\"><em><u>Enforce confidential access policies and network exposure<\/u><\/em><\/p>\n<ul style=\"text-align: justify;\">\n<li>Avoid the use of <strong>generic or shared accounts<\/strong>,<\/li>\n<li>Use <strong>dedicated developer identities<\/strong> separated from standard productivity (email and office) accounts to reduce exposure to phishing attacks and limit the impact of credential compromise in CI\/CD environments.<\/li>\n<li><strong>Enforce phishing-resistant MFA mechanisms<\/strong> (FIDO2 keys, certificate, etc.),<\/li>\n<li><strong>Implement Conditional Access policies<\/strong> to restrict access based on contextual factors such as network location and device compliance.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><em><u>Implement mechanisms to detect persistence attempts<\/u><\/em><\/p>\n<ul style=\"text-align: justify;\">\n<li>Implement <strong>monitoring mechanisms<\/strong> to detect suspicious creation or usage of <strong>PATs <\/strong>in GitLab, anomalous activities such as <strong>deployments occurring at unusual times<\/strong>, etc.<\/li>\n<li>Monitor the addition of <strong>new authentication methods in Entra ID, <\/strong>as a potential sign of compromise, particularly <strong>passwordless<\/strong> ones, after a phishing event.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><em><u>Recertify all accesses periodically and remediate unused accounts<\/u><\/em><\/p>\n<ul style=\"text-align: justify;\">\n<li>Disable or remove<strong> unused or inactive accounts<\/strong>,<\/li>\n<li>Revoke access for <strong>offboarded employees<\/strong> across all systems,<\/li>\n<li>Conduct periodic access reviews, at least <strong>every six months<\/strong> for <strong>high-risk users<\/strong>.<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<h3 style=\"text-align: justify;\">Code Repository and Pipeline Compromise<\/h3>\n<p style=\"text-align: justify;\"><strong>Source code repositories<\/strong> are often <strong>directly integrated with CI\/CD pipelines<\/strong>, meaning that changes to the codebase can automatically trigger build and deployment processes. As a result, compromising a developer account can influence how applications are built and deployed.<\/p>\n<p style=\"text-align: justify;\">To <strong>reduce the risk of unauthorized changes<\/strong> <strong>reaching<\/strong> <strong>production<\/strong>, organizations typically <strong>protect production branches<\/strong> (e.g., main or master) through pull requests, approvals, and automated validation checks. In contrast, <strong>development branches <\/strong>are generally <strong>less strictly controlled<\/strong> to support faster development and testing.<\/p>\n<p style=\"text-align: justify;\">In the observed scenario, the attacker <strong>targets the development branch <\/strong>and modifies the pipeline configuration file (gitlab-ci.yml), injecting a <strong>malicious command<\/strong> (aimed at establishing remote access) into an <strong>existing job<\/strong>. When the pipeline is executed, this command runs on the CI\/CD runner, allowing the attacker to gain remote access to it.<\/p>\n<figure id=\"attachment_30403\" aria-describedby=\"caption-attachment-30403\" style=\"width: 911px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-30403\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/6-Code-repository-manipulation.png\" alt=\"Code repository manipulation\" width=\"911\" height=\"396\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/6-Code-repository-manipulation.png 911w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/6-Code-repository-manipulation-437x191.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/6-Code-repository-manipulation-71x31.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/6-Code-repository-manipulation-768x334.png 768w\" sizes=\"auto, (max-width: 911px) 100vw, 911px\" \/><figcaption id=\"caption-attachment-30403\" class=\"wp-caption-text\">Code repository manipulation<\/figcaption><\/figure>\n<p style=\"text-align: justify;\">As part of the compromised CI\/CD environment credentials, the <strong>attacker gains access<\/strong> to a <strong>Nexus token,<\/strong> which is an <strong>artifact management system, <\/strong>used to store and distribute trusted build artifacts consumed by downstream pipelines.<\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\"><strong><u>REMEDIATION \u2013 Harden Code Repository Security Controls<\/u><\/strong><\/p>\n<p style=\"text-align: justify;\">Securing the code repository is essential to prevent attackers from abusing CI\/CD pipelines after initial access, as repositories directly control how code is built and deployed.<\/p>\n<p style=\"text-align: justify;\"><em><u>Harden code repository to limit pipeline triggers<\/u><\/em><\/p>\n<ul style=\"text-align: justify;\">\n<li>Configure <strong>protected branches<\/strong> on the branches used for deployment,<\/li>\n<li><strong>Set up multi-level approval workflows<\/strong> on merge requests that trigger pipelines and <strong>disable self-approval, <\/strong><\/li>\n<li>Use <strong>code ownership <\/strong>to <strong>assign <\/strong>and <strong>require approval <\/strong>from <strong>designated owners <\/strong>on <strong>sensitive files <\/strong>(e.g. CI\/CD job configuration).<\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><em><u>Limit project visibility and permissions<\/u><\/em><\/p>\n<ul style=\"text-align: justify;\">\n<li><strong>Limit writing permissions<\/strong> to only those who require them for their role,<\/li>\n<li><strong>Restrict project visibility<\/strong> based on the <strong>need-to-know principle<\/strong>, using internal or private (preferred) visibility.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><em><u>Establish proper secret management hygiene<\/u><\/em><\/p>\n<ul>\n<li style=\"text-align: justify;\"><strong>Configure scoped CI\/CD secrets the project<\/strong> level and prefer ephemeral credentials whenever possible,<\/li>\n<li style=\"text-align: justify;\"><strong>Detect secrets in clear text as early as possible <\/strong>(at commit time or before code is pushed) and revoke immediately if exposed,<\/li>\n<li style=\"text-align: justify;\">Conduct <strong>periodic reviews<\/strong> (e.g., internal audits or red team exercises) across platforms such as Git repositories, Jira, or Confluence to help identify previously undetected leaks.<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<p><strong><u>REMEDIATION \u2013 Strengthen Self-Hosted Runner Security Controls<\/u><\/strong><\/p>\n<p style=\"text-align: justify;\">Runners are critical components of CI\/CD pipelines, as they execute code and handle sensitive data. If compromised, they can be used to move laterally, access secrets, or take control of the environment.<\/p>\n<p style=\"text-align: justify;\"><em><u>Restrict network exposure and execution scope<\/u><\/em><\/p>\n<ul style=\"text-align: justify;\">\n<li><strong>Restrict runner network traffic <\/strong>to only what is required for pipeline execution, and enforce <strong>network controls<\/strong> such as <strong>proxies<\/strong> and <strong>segmentation<\/strong> to prevent unrestricted internet access and limit lateral movement within internal networks.<\/li>\n<li><strong>Restrict pipeline triggers<\/strong> from untrusted or personal repositories.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><em><u>Treat runners as sensitive systems<\/u><\/em><\/p>\n<ul style=\"text-align: justify;\">\n<li>Treat runners as critical servers (<strong>regular OS patching<\/strong> and <strong>hardening<\/strong>),<\/li>\n<li>Deploy <strong>Endpoint Detection and Response (EDR)<\/strong> solutions for process monitoring, including within containerized environments.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><em><u>Use dedicated and ephemeral runners<\/u><\/em><\/p>\n<ul style=\"text-align: justify;\">\n<li>Prefer <strong>dedicated runners per project or environment. <\/strong>Sharing runners across multiple contexts increases the risk of cross-project contamination and privilege escalation,<\/li>\n<li>Use <strong>ephemeral \/ autoscaling<\/strong> runners that are destroyed after each job,<\/li>\n<li>Ensure <strong>VM-based runners<\/strong> are also <strong>ephemeral<\/strong> and <strong>isolated <\/strong>to ensure no residual data or access persists between executions. In addition, rely <strong>only on hardened and trusted base images <\/strong>(e.g. <strong>golden images<\/strong> for VM-based runners and approved container images), to prevent execution in compromised or unverified environments.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><em><u>Secure container-based runners<\/u><\/em><\/p>\n<ul style=\"text-align: justify;\">\n<li><strong>Allow only approved and trusted images in pipeline<\/strong> <strong>executions<\/strong> to prevent the introduction of malicious code through compromised or unverified images,<\/li>\n<li>Apply <strong>least privilege<\/strong> in container runtime environments,<\/li>\n<li><strong>Avoid<\/strong> <strong>privileged mode<\/strong> and drop unnecessary Linux capabilities,<\/li>\n<li>Use secure build engines <strong>(BuildKit \/ Buildah) <\/strong>when <strong>Docker-in-Docker<\/strong> is required<\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><em><u>Harden Cloud-based runners<\/u><\/em><\/p>\n<ul>\n<li style=\"text-align: justify;\">When using <strong>cloud-managed runners<\/strong>, enforce <strong>isolation and identity scoping<\/strong>, <strong>restrict<\/strong> <strong>metadata<\/strong> access to prevent credential exposure from underlying infrastructure, and ensure CI\/CD roles are governed by <strong>strict least-privilege IAM policies<\/strong> to avoid excessive permissions.<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<h3>Artifact Poisoning and Dependency Attacks<\/h3>\n<p style=\"text-align: justify;\">In software delivery environments, <strong>artifact management systems <\/strong>store and distribute <strong>outputs generated by CI\/CD pipelines<\/strong>. These outputs, known as <strong>artifacts<\/strong>, represent the <strong>packaged results of the build process<\/strong>, such as compiled binaries, application packages, or deployment images.<\/p>\n<p style=\"text-align: justify;\"><strong>Artifacts<\/strong> are <strong>stored centrally<\/strong> to ensure versioning, traceability, and reuse across multiple pipelines. In addition to <strong>application-specific outputs<\/strong>, these repositories often <strong>also host shared<\/strong> <strong>components<\/strong> such as <strong>golden images<\/strong>, <strong>reusable libraries<\/strong>, or <strong>common runtime dependencies<\/strong>. Because they <strong>originate from trusted build processes<\/strong>, <strong>artifacts<\/strong> are typically assumed to be safe and are widely <strong>consumed by downstream pipelines<\/strong> without additional validation.<\/p>\n<p style=\"text-align: justify;\">In the observed scenario, the <strong>attacker uses <\/strong>previously obtained <strong>credentials<\/strong> to <strong>authenticate <\/strong>to the <strong>artifact repository<\/strong> (<strong>Nexus <\/strong>in this example) with <strong>excessive<\/strong> <strong>permissions<\/strong> (read\/write across multiple categories, rather than being limited to a single application scope), and gains access to both production-grade and shared artifacts.<\/p>\n<p style=\"text-align: justify;\">Among these, the attacker identifies a legitimate <strong>Terraform binary<\/strong> used within the infrastructure deployment process (referred to as the <strong>tofu binary<\/strong>), which is commonly trusted and consumed by downstream CI\/CD pipelines to provision and manage cloud resources.<\/p>\n<figure id=\"attachment_30405\" aria-describedby=\"caption-attachment-30405\" style=\"width: 1394px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-30405\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/7-Legitimate-binary-used-for-infrastructure-deployment.png\" alt=\"Legitimate binary used for infrastructure deployment\" width=\"1394\" height=\"949\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/7-Legitimate-binary-used-for-infrastructure-deployment.png 1394w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/7-Legitimate-binary-used-for-infrastructure-deployment-281x191.png 281w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/7-Legitimate-binary-used-for-infrastructure-deployment-57x39.png 57w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/7-Legitimate-binary-used-for-infrastructure-deployment-768x523.png 768w\" sizes=\"auto, (max-width: 1394px) 100vw, 1394px\" \/><figcaption id=\"caption-attachment-30405\" class=\"wp-caption-text\">Legitimate binary used for infrastructure deployment<\/figcaption><\/figure>\n<p style=\"text-align: justify;\">The attacker <strong>downloads this artifact locally<\/strong> and <strong>modifies its contents<\/strong> by injecting <strong>malicious logic <\/strong>while preserving its original functionality, and <strong>embeds hidden behavior<\/strong> designed to <strong>interact<\/strong> with <strong>AWS Identity and Access Management (IAM) and AWS Security Token Service (STS) services<\/strong> to retrieve credentials.<\/p>\n<figure id=\"attachment_30407\" aria-describedby=\"caption-attachment-30407\" style=\"width: 827px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-30407\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/8-AWS-IAM-and-STS-credential-handling-logic-within-the-Terraform-malicious-binary.png\" alt=\"AWS IAM and STS credential handling logic within the Terraform malicious binary\" width=\"827\" height=\"716\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/8-AWS-IAM-and-STS-credential-handling-logic-within-the-Terraform-malicious-binary.png 827w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/8-AWS-IAM-and-STS-credential-handling-logic-within-the-Terraform-malicious-binary-221x191.png 221w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/8-AWS-IAM-and-STS-credential-handling-logic-within-the-Terraform-malicious-binary-45x39.png 45w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/8-AWS-IAM-and-STS-credential-handling-logic-within-the-Terraform-malicious-binary-768x665.png 768w\" sizes=\"auto, (max-width: 827px) 100vw, 827px\" \/><figcaption id=\"caption-attachment-30407\" class=\"wp-caption-text\">AWS IAM and STS credential handling logic within the Terraform malicious binary<\/figcaption><\/figure>\n<p style=\"text-align: justify;\">The modified binary is then <strong>reuploaded to Nexus<\/strong>, replacing the legitimate version with a <strong>poisoned artifact.<\/strong><\/p>\n<figure id=\"attachment_30409\" aria-describedby=\"caption-attachment-30409\" style=\"width: 744px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-30409\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/9-Uploading-the-malicious-binary.png\" alt=\"Uploading the malicious binary\" width=\"744\" height=\"613\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/9-Uploading-the-malicious-binary.png 744w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/9-Uploading-the-malicious-binary-232x191.png 232w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/9-Uploading-the-malicious-binary-47x39.png 47w\" sizes=\"auto, (max-width: 744px) 100vw, 744px\" \/><figcaption id=\"caption-attachment-30409\" class=\"wp-caption-text\">Uploading the malicious binary<\/figcaption><\/figure>\n<p style=\"text-align: justify;\">From this point onward, <strong>any CI\/CD pipeline consuming the artifact<\/strong> automatically retrieves the <strong>compromised binary<\/strong> as part of its dependency resolution, as it\u2019s still considered trusted.<\/p>\n<figure id=\"attachment_30411\" aria-describedby=\"caption-attachment-30411\" style=\"width: 911px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-30411\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/10-Malicious-binary-successfully-downloaded-from-Nexus.png\" alt=\"Malicious binary successfully downloaded from Nexus\" width=\"911\" height=\"473\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/10-Malicious-binary-successfully-downloaded-from-Nexus.png 911w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/10-Malicious-binary-successfully-downloaded-from-Nexus-368x191.png 368w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/10-Malicious-binary-successfully-downloaded-from-Nexus-71x37.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/10-Malicious-binary-successfully-downloaded-from-Nexus-768x399.png 768w\" sizes=\"auto, (max-width: 911px) 100vw, 911px\" \/><figcaption id=\"caption-attachment-30411\" class=\"wp-caption-text\">Malicious binary successfully downloaded from Nexus<\/figcaption><\/figure>\n<p style=\"text-align: justify;\">Upon execution, the <strong>poisoned binary activates the embedded malicious payload, <\/strong>which is designated to <strong>retrieve the AWS access token<\/strong> used by the <strong>Terraform execution<\/strong> context and send it to the attacker-controlled server for exfiltration. It then generates an <strong>obfuscated output encoded in Base32<\/strong>. Decoding allows reconstruction of a JSON object containing AWS credentials (AccessKeyId, SecretAccessKey, and SessionToken).<\/p>\n<figure id=\"attachment_30413\" aria-describedby=\"caption-attachment-30413\" style=\"width: 911px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-30413\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/11-Base32-decoded-payload-revealing-AWS-credentials-after-executing-the-malicious-Terraform-binary.png\" alt=\"Base32-decoded payload revealing AWS credentials after executing the malicious Terraform binary\" width=\"911\" height=\"494\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/11-Base32-decoded-payload-revealing-AWS-credentials-after-executing-the-malicious-Terraform-binary.png 911w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/11-Base32-decoded-payload-revealing-AWS-credentials-after-executing-the-malicious-Terraform-binary-352x191.png 352w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/11-Base32-decoded-payload-revealing-AWS-credentials-after-executing-the-malicious-Terraform-binary-71x39.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/11-Base32-decoded-payload-revealing-AWS-credentials-after-executing-the-malicious-Terraform-binary-768x416.png 768w\" sizes=\"auto, (max-width: 911px) 100vw, 911px\" \/><figcaption id=\"caption-attachment-30413\" class=\"wp-caption-text\">Base32-decoded payload revealing AWS credentials after executing the malicious Terraform binary<\/figcaption><\/figure>\n<p style=\"text-align: justify;\">The attacker configures these credentials locally and uses <strong>AWS STS<\/strong> (GetCallerIdentity API call) to confirm identity impersonation of the CI\/CD runner.\u00a0<\/p>\n<figure id=\"attachment_30415\" aria-describedby=\"caption-attachment-30415\" style=\"width: 910px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-30415\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/12-AWS-access.png\" alt=\"AWS access\" width=\"910\" height=\"182\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/12-AWS-access.png 910w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/12-AWS-access-437x87.png 437w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/12-AWS-access-71x14.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/12-AWS-access-768x154.png 768w\" sizes=\"auto, (max-width: 910px) 100vw, 910px\" \/><figcaption id=\"caption-attachment-30415\" class=\"wp-caption-text\">AWS access<\/figcaption><\/figure>\n<p style=\"text-align: justify;\">This illustration shows the attack chain: artifact compromise, injection of malicious logic, propagation through CI\/CD pipelines, and eventual AWS credential theft leading environment compromise.<\/p>\n<figure id=\"attachment_30417\" aria-describedby=\"caption-attachment-30417\" style=\"width: 911px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-30417\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/13-Artifactory-compromise-dependency-poisoning.png\" alt=\"Artifactory compromise - dependency poisoning\" width=\"911\" height=\"450\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/13-Artifactory-compromise-dependency-poisoning.png 911w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/13-Artifactory-compromise-dependency-poisoning-387x191.png 387w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/13-Artifactory-compromise-dependency-poisoning-71x35.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/13-Artifactory-compromise-dependency-poisoning-768x379.png 768w\" sizes=\"auto, (max-width: 911px) 100vw, 911px\" \/><figcaption id=\"caption-attachment-30417\" class=\"wp-caption-text\">Artifactory compromise &#8211; dependency poisoning<\/figcaption><\/figure>\n<p style=\"text-align: justify;\">As a result, the attacker gains unauthorized access to AWS resources under the guise of a legitimate identity.<\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\"><strong><u>REMEDIATION \u2013 Improve Artifactory Access Management Controls<\/u><\/strong><\/p>\n<p style=\"text-align: justify;\">Artifact repositories such as Nexus are key CI\/CD components used to store and distribute build dependencies and artifacts. They are high-value targets for supply chain attacks.<\/p>\n<p style=\"text-align: justify;\">Security requires strong access control, dependency governance, and continuous integrity monitoring.<\/p>\n<p style=\"text-align: justify;\"><em><u>Harden the artifact repository platform<\/u><\/em><\/p>\n<ul style=\"text-align: justify;\">\n<li><strong>Allow wide read on repository only at two conditions:<\/strong> from needed service (CICD) and if password management in dependency exist,<\/li>\n<li>Highly restrict <strong>writing permission<\/strong>,<\/li>\n<li>Change <strong>default<\/strong><\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><em><u>Perform Software Composition Analysis (SCA)<\/u><\/em><\/p>\n<ul style=\"text-align: justify;\">\n<li><strong>Apply Software Composition Analysis<\/strong> to both <strong>internal dependencies<\/strong> (stored in local repositories) and <strong>external ones<\/strong> (retrieved from remote or proxy repositories) to detect known vulnerabilities and outdated components.<\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><em><u>Restrict artifact sources<\/u><\/em><\/p>\n<ul>\n<li style=\"text-align: justify;\"><strong>Maintain a whitelist of trusted repositories<\/strong> to ensure only approved sources are used,<\/li>\n<li style=\"text-align: justify;\"><strong>Enforce repository-level controls <\/strong>to exclude unapproved or vulnerable versions, for example in <strong>Nexus<\/strong>, or through exclusion rules in <strong>JFrog<\/strong> Artifactory,<\/li>\n<li style=\"text-align: justify;\"><strong>Prevent CI\/CD pipelines from accessing untrusted external sources<\/strong> by enforcing strict repository boundaries.<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<h3>Cloud Compromise via CI\/CD Workload Abuse<\/h3>\n<p style=\"text-align: justify;\">In cloud environments, <strong>CI\/CD runners<\/strong> are typically assigned <strong>privileged IAM roles<\/strong> to perform deployment operations, including creating, modifying, and deleting infrastructure resources. These roles often include <strong>broad permissions<\/strong> such as <strong>AdministratorAccess<\/strong> or overly permissive custom policies, enabling the runner to interact with a wide range of AWS services including compute, storage, and identity management.<\/p>\n<p style=\"text-align: justify;\">When <strong>a CI\/CD runner is compromised<\/strong>, an attacker can <strong>directly abuse these privileges<\/strong> without requiring further escalation. This can lead to <strong>immediate access<\/strong> to sensitive resources such as <strong>S3<\/strong> <strong>buckets<\/strong> or <strong>RDS databases<\/strong>, enabling <strong>data exfiltration<\/strong>. The attacker may also leverage <strong>IAM<\/strong> <strong>permissions<\/strong> to assume additional roles across <strong>other AWS accounts<\/strong> or <strong>projects<\/strong>, facilitating <strong>lateral<\/strong> <strong>movement<\/strong> within the organization. In addition, <strong>access to compute-related services<\/strong> can be abused to deploy, modify, or persist malicious workloads, ultimately resulting in a <strong>full compromise<\/strong> of the <strong>cloud environment<\/strong>.<\/p>\n<p style=\"text-align: justify;\">From developer compromise to Cloud takeover: full CI\/CD attack path overview<\/p>\n<p style=\"text-align: justify;\">The CI\/CD attack chain starts with the initial compromise of a developer and ends with the full takeover of the cloud environment.<\/p>\n<p style=\"text-align: justify;\">The following illustration highlights <strong>key detection and monitoring opportunities across the CI\/CD ecosystem<\/strong>. It shows how security telemetry can be collected and correlated throughout the <strong>different stages<\/strong> of the CI\/CD attack chain, from development activities to CI\/CD <strong>runners, artifact repositories, and cloud IAM operations<\/strong>.<\/p>\n<figure id=\"attachment_30419\" aria-describedby=\"caption-attachment-30419\" style=\"width: 911px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-30419\" src=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/14-Kill-chain-Detection.png\" alt=\"Kill chain - Detection\" width=\"911\" height=\"409\" srcset=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/14-Kill-chain-Detection.png 911w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/14-Kill-chain-Detection-425x191.png 425w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/14-Kill-chain-Detection-71x32.png 71w, https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/14-Kill-chain-Detection-768x345.png 768w\" sizes=\"auto, (max-width: 911px) 100vw, 911px\" \/><figcaption id=\"caption-attachment-30419\" class=\"wp-caption-text\">Kill chain &#8211; Detection<\/figcaption><\/figure>\n<p style=\"text-align: justify;\">Overall, although CI\/CD pipelines significantly expand the attack surface, they also provide multiple strategic interception points where centralized logging and security monitoring can enable early detection and response to malicious activity.<\/p>\n<p style=\"text-align: justify;\">\u00a0<\/p>\n<p style=\"text-align: justify;\">In conclusion, to achieve a <strong>secure CI\/CD pipeline<\/strong>, security must be considered end-to-end, from developers\u2019 environments to production systems.<\/p>\n<p style=\"text-align: justify;\"><strong>Developers are the first link in the chain<\/strong>, and securing their accounts is essential. This should be supported by good practices such as secure secret management and regular security awareness.<\/p>\n<p style=\"text-align: justify;\">It\u2019s also important to ensure <strong>proper isolation between environments<\/strong> and to enforce strict <strong>least<\/strong> <strong>privilege<\/strong> for both <strong>users<\/strong> and <strong>service accounts<\/strong>.<\/p>\n<p style=\"text-align: justify;\">Security issues cannot be fixed by small patches if the overall pipeline design is weak.<\/p>\n<p style=\"text-align: justify;\">Finally<strong>, deployment use cases<\/strong> should be clearly defined from the start, as they directly drive the architecture and IAM design choices.<\/p>\n<p style=\"text-align: justify;\">Beyond these technical measures, <strong>CI\/CD security must be continuously assessed through regular technical audits<\/strong> as well as <strong>organizational reviews<\/strong> of the development lifecycle to ensure risks remain under control as the environment evolves.<\/p>\n<p style=\"text-align: justify;\">For a broader perspective and <strong>higher-level recommendations<\/strong> on positioning CI\/CD as a cornerstone of the information system, see the RiskInsight article: \u201c<span style=\"color: #808080;\"><a style=\"color: #808080;\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2025\/09\/ci-cd-the-new-cornerstone-of-the-information-system\/\">CI\/CD: the new cornerstone of the information system<\/a><\/span>\u201d.<\/p>\n<p>\u00a0<\/p>\n\n\n","protected":false},"excerpt":{"rendered":"<p>In modern DevOps environments, CI\/CD pipelines automate code development, testing, and deployment, enabling rapid delivery and scalability while significantly expanding the attack surface. CI\/CD audits conducted in 2025 and 2026 revealed that credentials leaked in repositories, misconfigured runners, insecure artifact&#8230;<\/p>\n","protected":false},"author":1604,"featured_media":30388,"comment_status":"open","ping_status":"closed","sticky":false,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2777,3273,3977],"tags":[5127,5128,4226,5129,5130,3208,3399,2772,3997,5131,5133],"coauthors":[5119,5118,4897],"class_list":["post-30390","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-digital-trust","category-ethical-hacking-indicent-response-en","category-focus","tag-artefacts","tag-artifactory","tag-ci-cd-2","tag-ci-cd-attacks","tag-ci-cd-security","tag-cloud-en","tag-cloud-security-en","tag-cybersecurity","tag-devsecops-2","tag-pipeline","tag-runners"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>CI\/CD Security: Supply chain attack from a compromised developer - RiskInsight<\/title>\n<meta name=\"description\" content=\"Explore a real-world CI\/CD supply chain attack kill chain. Learn how attackers pivot from a compromised developer to full cloud takeover, plus key remediations.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CI\/CD Security: Supply chain attack from a compromised developer - RiskInsight\" \/>\n<meta property=\"og:description\" content=\"Explore a real-world CI\/CD supply chain attack kill chain. Learn how attackers pivot from a compromised developer to full cloud takeover, plus key remediations.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2026-07-08T07:55:12+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-07-08T07:55:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/2025-11-26-17_18_03-Presentation1-PowerPoint.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1316\" \/>\n\t<meta property=\"og:image:height\" content=\"729\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Meriem Abidi, Clara Decotignie, Gautier PLANTE\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Meriem Abidi, Clara Decotignie, Gautier PLANTE\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/\"},\"author\":{\"name\":\"Meriem Abidi\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/70af1a0809c9920bf9036e19ef8c5496\"},\"headline\":\"CI\/CD Security: Supply chain attack from a compromised developer\",\"datePublished\":\"2026-07-08T07:55:12+00:00\",\"dateModified\":\"2026-07-08T07:55:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/\"},\"wordCount\":2437,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/2025-11-26-17_18_03-Presentation1-PowerPoint.png\",\"keywords\":[\"artefacts\",\"artifactory\",\"CI\/CD\",\"CI\/CD attacks\",\"CI\/CD security\",\"cloud\",\"cloud security\",\"cybersecurity\",\"DevSecOps\",\"pipeline\",\"runners\"],\"articleSection\":[\"Cybersecurity &amp; Digital Trust\",\"Ethical Hacking &amp; Incident Response\",\"Focus\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/\",\"name\":\"CI\/CD Security: Supply chain attack from a compromised developer - RiskInsight\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/2025-11-26-17_18_03-Presentation1-PowerPoint.png\",\"datePublished\":\"2026-07-08T07:55:12+00:00\",\"dateModified\":\"2026-07-08T07:55:14+00:00\",\"description\":\"Explore a real-world CI\/CD supply chain attack kill chain. Learn how attackers pivot from a compromised developer to full cloud takeover, plus key remediations.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/2025-11-26-17_18_03-Presentation1-PowerPoint.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/2025-11-26-17_18_03-Presentation1-PowerPoint.png\",\"width\":1316,\"height\":729},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CI\/CD Security: Supply chain attack from a compromised developer\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/70af1a0809c9920bf9036e19ef8c5496\",\"name\":\"Meriem Abidi\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/meriem-abidi\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CI\/CD Security: Supply chain attack from a compromised developer - RiskInsight","description":"Explore a real-world CI\/CD supply chain attack kill chain. Learn how attackers pivot from a compromised developer to full cloud takeover, plus key remediations.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/","og_locale":"en_US","og_type":"article","og_title":"CI\/CD Security: Supply chain attack from a compromised developer - RiskInsight","og_description":"Explore a real-world CI\/CD supply chain attack kill chain. Learn how attackers pivot from a compromised developer to full cloud takeover, plus key remediations.","og_url":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/","og_site_name":"RiskInsight","article_published_time":"2026-07-08T07:55:12+00:00","article_modified_time":"2026-07-08T07:55:14+00:00","og_image":[{"width":1316,"height":729,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/2025-11-26-17_18_03-Presentation1-PowerPoint.png","type":"image\/png"}],"author":"Meriem Abidi, Clara Decotignie, Gautier PLANTE","twitter_misc":{"Written by":"Meriem Abidi, Clara Decotignie, Gautier PLANTE","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/"},"author":{"name":"Meriem Abidi","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/70af1a0809c9920bf9036e19ef8c5496"},"headline":"CI\/CD Security: Supply chain attack from a compromised developer","datePublished":"2026-07-08T07:55:12+00:00","dateModified":"2026-07-08T07:55:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/"},"wordCount":2437,"commentCount":0,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/2025-11-26-17_18_03-Presentation1-PowerPoint.png","keywords":["artefacts","artifactory","CI\/CD","CI\/CD attacks","CI\/CD security","cloud","cloud security","cybersecurity","DevSecOps","pipeline","runners"],"articleSection":["Cybersecurity &amp; Digital Trust","Ethical Hacking &amp; Incident Response","Focus"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/","url":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/","name":"CI\/CD Security: Supply chain attack from a compromised developer - RiskInsight","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/2025-11-26-17_18_03-Presentation1-PowerPoint.png","datePublished":"2026-07-08T07:55:12+00:00","dateModified":"2026-07-08T07:55:14+00:00","description":"Explore a real-world CI\/CD supply chain attack kill chain. Learn how attackers pivot from a compromised developer to full cloud takeover, plus key remediations.","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/2025-11-26-17_18_03-Presentation1-PowerPoint.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2026\/07\/2025-11-26-17_18_03-Presentation1-PowerPoint.png","width":1316,"height":729},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2026\/07\/ci-cd-security-supply-chain-attack-from-a-compromised-developer\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"CI\/CD Security: Supply chain attack from a compromised developer"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity &amp; digital trust blog by Wavestone&#039;s consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/70af1a0809c9920bf9036e19ef8c5496","name":"Meriem Abidi","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/meriem-abidi\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/30390","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/1604"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=30390"}],"version-history":[{"count":9,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/30390\/revisions"}],"predecessor-version":[{"id":30432,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/30390\/revisions\/30432"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/30388"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=30390"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=30390"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=30390"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=30390"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}