Data/attacks.json
|
[ { "id": "trivy-tag-poisoning", "name": "Trivy tag poisoning", "date": "2024-07-01", "description": "An attacker force-pushed a malicious commit to a Trivy release tag, poisoning consumers that pinned only to the mutable tag instead of an immutable commit SHA.", "affectedPackages": [ "aquasecurity/trivy-action", "Trivy" ], "cves": [], "references": [ "https://www.aquasec.com/blog/", "https://github.com/aquasecurity/trivy-action" ], "detectionSignals": [ "Workflow uses third-party actions by tag instead of commit SHA", "Security-sensitive actions are not pinned to immutable digests", "No policy enforcement for immutable action references" ] }, { "id": "tj-actions-shai-hulud", "name": "tj-actions/changed-files (Shai-Hulud) token exfiltration", "date": "2025-03-01", "description": "A compromised GitHub Action release exfiltrated CI secrets through workflow logs, enabling unauthorized reuse of tokens and secrets in downstream environments.", "affectedPackages": [ "tj-actions/changed-files" ], "cves": [], "references": [ "https://github.com/tj-actions/changed-files", "https://github.com/advisories" ], "detectionSignals": [ "Use of affected action versions", "Workflows expose secrets to untrusted execution contexts", "CI logs include sensitive values or token-like patterns" ] }, { "id": "nx-pwn-request", "name": "nx/Pwn Request", "date": "2025-01-01", "description": "A pull request trigger abuse pattern allowed attacker-controlled code to execute in CI with elevated repository context, enabling tampering and secret access.", "affectedPackages": [ "nrwl/nx" ], "cves": [], "references": [ "https://github.com/nrwl/nx", "https://securitylab.github.com/research/github-actions-preventing-pwn-requests/" ], "detectionSignals": [ "Unsafe use of pull_request_target with checkout of untrusted code", "Write-capable tokens available to PR-triggered workflows", "No workflow isolation for fork-originated pull requests" ] }, { "id": "axios-npm-token-leak", "name": "Axios npm token leak", "date": "2024-01-01", "description": "An npm publish token was exposed in CI logs, allowing an attacker to publish malicious package versions under a trusted package name.", "affectedPackages": [ "axios" ], "cves": [], "references": [ "https://github.com/axios/axios", "https://docs.npmjs.com/using-private-packages-in-a-ci-cd-workflow" ], "detectionSignals": [ "CI pipelines print environment variables or token-containing commands", "Long-lived npm tokens used instead of scoped automation tokens", "No log redaction or secret masking validation" ] }, { "id": "codecov-bash-uploader", "name": "Codecov bash uploader supply chain compromise", "date": "2021-04-01", "description": "Attackers gained access to Codecov's CI environment and modified the bash uploader script to exfiltrate environment variables — including repository secrets and tokens — from any CI pipeline that downloaded and executed the script. Thousands of organizations were affected before discovery.", "affectedPackages": [ "codecov/codecov-action", "codecov-bash-uploader" ], "cves": [], "references": [ "https://about.codecov.io/security-update/", "https://github.com/codecov/codecov-action" ], "detectionSignals": [ "Default branch allows force pushes with no branch protection", "No required reviewers on default branch", "CI artifacts or scripts fetched without integrity verification" ] }, { "id": "uber-credential-leak", "name": "Uber credential exposure via repository secret", "date": "2022-09-01", "description": "An attacker obtained valid credentials through social engineering and discovered additional high-privilege secrets stored in internal repositories and secret scanning tools. Absence of secret scanning and open unresolved alerts allowed lateral movement across Uber's infrastructure.", "affectedPackages": [], "cves": [], "references": [ "https://www.uber.com/newsroom/security-update/", "https://docs.github.com/code-security/secret-scanning/about-secret-scanning" ], "detectionSignals": [ "Secret scanning not enabled on repository", "Open secret scanning alerts left unresolved", "Long-lived credentials committed or accessible without rotation policy" ] }, { "id": "event-stream-hijack", "name": "event-stream npm package hijack", "date": "2018-11-01", "description": "A malicious maintainer was granted ownership of the popular event-stream npm package and injected a dependency (flatmap-stream) containing obfuscated code designed to steal cryptocurrency wallet credentials from a specific downstream application. The attack exploited blind trust in transitive dependencies.", "affectedPackages": [ "event-stream", "flatmap-stream" ], "cves": [], "references": [ "https://github.com/dominictarr/event-stream/issues/116", "https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident" ], "detectionSignals": [ "Dependabot alerts not enabled on repository", "Open critical or high severity dependency vulnerability alerts", "No automated dependency update policy in place" ] }, { "id": "solarwinds-orion", "name": "SolarWinds Orion supply chain attack", "date": "2020-12-01", "description": "Nation-state attackers compromised SolarWinds' build environment and injected the SUNBURST backdoor into signed Orion software updates. The attack went undetected for months because no code scanning or integrity verification was in place to detect the injected code.", "affectedPackages": [ "SolarWinds Orion" ], "cves": [ "CVE-2020-10148" ], "references": [ "https://www.solarwinds.com/sa-overview/securityadvisory", "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/" ], "detectionSignals": [ "Code scanning not configured on repository", "No recent code analysis runs", "Build pipeline lacks integrity checks or reproducible build verification" ] }, { "id": "github-actions-cryptomining", "name": "GitHub Actions self-hosted runner crypto-mining abuse", "date": "2020-12-01", "description": "Attackers discovered public repositories with self-hosted runners configured to execute workflows triggered by pull requests from forks. By submitting pull requests, they executed arbitrary code on self-hosted infrastructure to mine cryptocurrency and exfiltrate runner environment secrets.", "affectedPackages": [], "cves": [], "references": [ "https://docs.github.com/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#self-hosted-runner-security", "https://github.blog/security/application-security/security-hardening-for-github-actions/" ], "detectionSignals": [ "Self-hosted runner used in workflow triggered by pull_request on a public repository", "Workflow triggered by pull_request_target runs on a self-hosted runner", "Self-hosted runner labels do not restrict execution to trusted contexts" ] }, { "id": "trivy-force-push-main", "name": "Trivy force-push to main", "date": "2024-07-01", "description": "An attacker force-pushed directly to the main branch where branch protection controls were insufficient, bypassing expected review and integrity checks.", "affectedPackages": [ "Trivy" ], "cves": [], "references": [ "https://github.com/aquasecurity/trivy", "https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches" ], "detectionSignals": [ "Default branch protection does not block force pushes", "Required pull request reviews are disabled on the default branch", "No status checks required before merge" ] }, { "id": "praetorian-runner-pivot", "name": "Praetorian self-hosted runner lateral movement", "date": "2024-07-01", "description": "Red team obtained a PAT with repo scope, created a malicious workflow targeting org-wide self-hosted runners, escalated to root via Docker group membership, and pivoted into the internal network. Demonstrates why runners should be scoped to specific repos and why ephemeral runners matter.", "affectedPackages": [], "cves": [], "references": [ "https://www.praetorian.com/blog/self-hosted-github-runners-are-backdoors/" ], "detectionSignals": [ "Org-wide runner groups available to all repositories", "Self-hosted runners not configured as ephemeral", "Runner groups not restricted to specific repositories or workflows", "Self-hosted runners accessible from public repositories" ] }, { "id": "prt-scan-ai-automated", "name": "prt-scan AI-automated PR poisoning", "date": "2026-03-11", "description": "AI-assisted threat actor opened 475+ malicious PRs in 26 hours targeting repos with pull_request_target trigger. Approximately 10% success rate across 450+ attempts. High-value targets (Sentry, OpenSearch, NixOS) blocked it with first-time contributor approval gates and actor-restricted workflows. Six waves from six accounts traced to a single actor.", "affectedPackages": [], "cves": [], "references": [ "https://www.wiz.io/blog/six-accounts-one-actor-inside-the-prt-scan-supply-chain-campaign" ], "detectionSignals": [ "Workflows using pull_request_target that checkout untrusted PR code", "No first-time contributor approval gates for fork PRs", "Secrets accessible in pull_request_target context", "No actor-restriction conditions on sensitive workflows" ] }, { "id": "hackerbot-claw", "name": "hackerbot-claw autonomous CI/CD attacker", "date": "2026-03-01", "description": "Autonomous bot used 5 different exploitation techniques across 7 successful high-profile attacks. Exfiltrated a GitHub token with write permissions from a highly popular repository. First known AI-powered CI/CD attacker preceding prt-scan.", "affectedPackages": [], "cves": [], "references": [ "https://github.blog/security/supply-chain-security/securing-the-open-source-supply-chain-across-github/" ], "detectionSignals": [ "Workflows using pull_request_target with untrusted code checkout", "Secrets accessible to fork PR workflows", "No egress controls on CI runners", "Write-permission tokens available in PR-triggered workflows" ] }, { "id": "trivy-supply-chain-2026", "name": "Trivy supply chain worm", "date": "2026-03-01", "description": "Most sophisticated supply chain attack on a security tool to date. Combined credential theft, tag poisoning, binary tampering, persistent backdoors, and a self-propagating worm. 28 npm packages compromised in under 60 seconds. Originated from pull_request_target misconfiguration leading to credential theft.", "affectedPackages": [ "aquasecurity/trivy-action", "Trivy" ], "cves": [], "references": [ "https://www.paloaltonetworks.com/blog/cloud-security/trivy-supply-chain-attack/" ], "detectionSignals": [ "Pull_request_target trigger with untrusted code checkout", "No egress controls to detect exfiltration", "Actions referenced by mutable tags instead of SHA", "No network egress filtering on CI runners" ] }, { "id": "github-app-token-theft", "name": "GitHub App installation token abuse", "date": "2025-01-01", "description": "Pattern where overly permissive GitHub App installations at org level (especially with contents:write and actions:write) allow attackers who compromise any single app to modify workflows and trigger them across all repos the app has access to.", "affectedPackages": [], "cves": [], "references": [ "https://docs.github.com/en/apps/using-github-apps/reviewing-and-modifying-installed-github-apps" ], "detectionSignals": [ "GitHub Apps installed org-wide with write permissions", "Apps with both contents:write and actions:write permissions", "Stale or unused app installations widening attack surface", "Apps with administration permission that can modify repo settings" ] }, { "id": "xz-utils-backdoor", "name": "XZ Utils (liblzma) maintainer backdoor", "date": "2024-03-29", "description": "A long-running social engineering operation culminated in a malicious maintainer (\"Jia Tan\") gaining commit access to xz-utils and inserting an obfuscated backdoor into liblzma that compromised sshd on affected systems. The attack hinged on a single trusted maintainer with broad write access, no code-owner enforcement, and unsigned commits reaching downstream distributions.", "affectedPackages": [ "xz-utils", "liblzma" ], "cves": [ "CVE-2024-3094" ], "references": [ "https://tukaani.org/xz-backdoor/", "https://research.swtch.com/xz-script" ], "detectionSignals": [ "Repository has a single maintainer with unrestricted write access", "CODEOWNERS absent or uses catch-all assigned to one user", "Default branch does not require signed commits", "Commits merged without secondary reviewer" ] }, { "id": "unauthorized-env-deployment", "name": "Unauthorized deployment via unprotected environment", "date": "2024-01-01", "description": "Generic pattern in which GitHub deployment environments are configured without required reviewers, wait timers, or deployment branch policies. Any workflow with access to the environment can push code to production without human approval, turning a compromised PR or workflow into a direct path to prod.", "affectedPackages": [], "cves": [], "references": [ "https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment", "https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution" ], "detectionSignals": [ "Deployment environments without required reviewers", "Environments with no wait timer for production deployments", "No deployment branch policy restricting which refs can deploy", "Environment secrets accessible to workflows without approval gates" ] }, { "id": "toyota-source-exposure", "name": "Toyota source code public repository exposure", "date": "2022-10-07", "description": "Toyota disclosed that portions of its T-Connect connected-car source code had been hosted on a public GitHub repository for roughly five years, exposing an access key for a customer data server. The root cause was a repository whose visibility did not match its sensitivity, with no visibility review or naming-convention audit.", "affectedPackages": [], "cves": [], "references": [ "https://global.toyota/en/newsroom/corporate/38095972.html", "https://www.bleepingcomputer.com/news/security/toyota-reveals-data-breach-that-exposed-customer-details/" ], "detectionSignals": [ "Public repositories with names suggesting internal or private use", "No repository visibility review process", "Secrets committed to public repositories", "Repository visibility mismatched with org conventions" ] }, { "id": "azure-karpenter-pwn-request", "name": "Azure Karpenter Provider Pwn Request", "date": "2025-01-01", "description": "Pwn Request vulnerability exploited in Microsoft's open-source Azure Karpenter Provider project. StepSecurity Harden-Runner detected the attack in real-time and reported to MSRC within an hour. Could have compromised the cloud environment the project had access to.", "affectedPackages": [ "Azure/karpenter-provider-azure" ], "cves": [], "references": [ "https://www.stepsecurity.io/" ], "detectionSignals": [ "Pull_request_target trigger with checkout of untrusted PR code", "No egress monitoring to detect exfiltration attempts", "Secrets accessible in pull_request_target context", "No harden-runner or equivalent egress control in place" ] } ] |