Novel CI/CD attack could prompt widespread supply chain compromise

Significant supply chain compromise could be conducted against major IT and cryptocurrency organizations through a novel continuous integration/continuous delivery attack technique exploiting thousands of public GitHub repositories with malicious code injection issues, SecurityWeek reports. Threat actors could deploy such an attack against repositories with self-hosted runners by leveraging a fork pull request to become a contributor, enabling runner workflow execution without approval and additional code execution, a report by Praetorian security researcher Adnan Khan showed. "When we operated against PyTorch, we could have added our own malicious code to their releases on nearly all of their release platforms. In the hands of a nation-state, this single attack could be devastating. In fact, many of these attacks could have caused their own version of SolarWinds or the recent Ledger crypto hack," said researcher John Stawinski, who worked with Khan. Such an attack should prompt immediate hardening of default repository settings, noted Khan.