< ciso
brief />
Tag Banner

All news with #ci cd security tag

49 articles

GitHub Actions attack pattern that eludes CI scanners

🛡️ In June 2026, Novee Security disclosed "Cordyceps," a CI/CD composition weakness across thousands of high-impact repositories that flagged 654 and confirmed 300+ exploitable cases. The issue stems from how GitHub Actions events like pull_request_target and workflow_run execute with elevated privileges and can be tricked into running attacker-controlled content. Each workflow file appears valid, so SAST/DAST tools miss the cross-file composition that enables command, code injection and cross-workflow privilege escalation. Vendors have patched, but the broader governance gap—exacerbated by AI-generated workflows—remains and requires stricter trust boundaries and provenance controls.
read more →

AWS CodePipeline now available in New Zealand Region

🚀 AWS CodePipeline is now available in Asia Pacific (New Zealand) Region (ap-southeast-6). CodePipeline is a continuous delivery service that models, visualizes, and automates release processes including build, test, and deployment. It integrates with AWS services like CodeBuild, CodeDeploy, and CloudFormation, and supports third-party tools such as GitHub. The service includes governance controls like manual approvals, IAM-based access, and artifact encryption to help enforce security and compliance.
read more →

ECS Express Mode adds support for custom task definitions

🚀 Amazon Elastic Container Service (ECS) Express Mode now supports custom task definitions, enabling teams to reuse existing ECS configurations and CI/CD workflows while benefiting from Express Mode’s simplified deployment. This update brings advanced task-level options—like observability and security sidecars, custom health checks, ulimits, Linux runtime settings, and FireLens log routing—into Express Mode services. Available in all AWS Regions, you can add a custom task definition via the AWS Console, CLI, SDKs, or infrastructure-as-code tools to manage deployments either through task definition updates or Express Mode.
read more →

CloudFormation and CDK Express Mode for Faster Deployments

🚀 AWS announces CloudFormation and CDK express mode, cutting deployment time by up to 4x for developers and AI agents by marking stacks complete once resource configuration is applied, rather than waiting for extended stabilization. Express mode lets propagation and long-running stabilization continue asynchronously, preserves dependency ordering and failure handling within stacks, and disables rollback by default to speed iterative fix-and-retry workflows. It requires no template changes and can be enabled via CLI, SDKs, console, or cdk deploy --express. The feature is available in all Regions where CloudFormation is supported.
read more →

Shai Hulud CI/CD to Redshift breach analysis

🔍 This FortiGuard Labs analysis examines the Shai Hulud supply chain worm that poisoned CI/CD dependencies to harvest Jenkins credentials and pivot into AWS. The report outlines a mid‑May 2026 incident where FortiCNAPP traced external use of a Jenkins instance role, IAM escalation to a cloudops-monitor identity, and subsequent Redshift data extraction. It highlights detection signals, MITRE mappings, and recommended containment actions.
read more →

Widespread GitHub Actions Misconfigs Threaten CI/CD

🔍 Kaspersky researchers analyzed GitHub Actions across ~30,000 popular repositories and scanned ~130,000 pipelines using new rules in Kaspersky Container Security. Only 10% of repositories showed no concerns; the scan flagged over 250,000 potential deviations from secure CI/CD recommendations, with 0.4% classified as high risk and eight repositories containing critical flaws that could enable supply chain compromise. The study highlights common errors like exposed secrets, insecure run conditions, and unsafe handling of external data, and the ruleset is now available to KCS users.
read more →

AWS DevOps Agent Adds Release Management Preview

🛠️ AWS DevOps Agent now includes a release management capability in preview that reviews code changes for release readiness and runs autonomous release testing to improve production deployments. The feature evaluates drift from internal standards, dependency impacts, and access controls, and maps cross-repository dependencies to surface breaking changes. It also generates and executes test plans for web and API applications in customer environments to catch regressions and integration issues. The preview is available in US East (N. Virginia) at no additional cost.
read more →

Securing CI/CD in an agentic world: Claude Code case

🔒 Microsoft Threat Intelligence found that Anthropic’s Claude Code GitHub Action could expose CI/CD secrets when AI agents process untrusted GitHub content. A gap in sandboxing allowed the action’s Read tool to access /proc/self/environ and leak the ANTHROPIC_API_KEY; Anthropic mitigated the issue in version 2.1.128. Defenders should treat AI workflows that handle untrusted input as high-risk and apply recommended hardening controls.
read more →

Large npm supply‑chain compromise targets Red Hat scope

🛡️ Microsoft Threat Intelligence disclosed a widespread npm supply‑chain attack that trojanized 32 packages across the @redhat-cloud-services scope via a compromised CI/CD pipeline. The malicious packages used an npm preinstall hook to run an obfuscated 4.29 MB dropper that downloads the Bun runtime and executes credential‑stealing and propagation payloads across Linux, macOS, and Windows. The campaign, labelled “Miasma: The Spreading Blight,” harvested secrets from GitHub Actions runners, cloud provider CLIs, SSH keys, browsers, and vaults, and attempted to republish poisoned packages and inject code into victim repositories.
read more →

Supply Chain Intrusions Target Developer Tooling

🔒 CISA is addressing multiple software supply chain intrusions that target developer ecosystems, specifically CI/CD pipelines, code extensions, and workflows. A malicious Nx Console VS Code extension (version 18.95.0) exploited a prior compromise of Nx developer systems to access a GitHub employee’s device, leading to unauthorized access and exfiltration of internal repositories and assignment of CVE-2026-48027. The “Megalodon” campaign injected malicious GitHub Action workflows to harvest CI/CD secrets, cloud credentials, and tokens. CISA urges organizations to detect and remediate potential compromises and implement recommended best practices for package repositories and CI/CD security.
read more →

Megalodon campaign backdoors GitHub Actions at scale

🔒 Researchers at SafeDep uncovered the Megalodon campaign that pushed 5,718 malicious commits into 5,561 public GitHub repositories during a six-hour window on May 18. The attackers modified GitHub Actions workflows to embed base64-encoded bash payloads designed to exfiltrate CI-exposed secrets such as cloud credentials, SSH keys, and OIDC tokens. The campaign used compromised Personal Access Tokens or deploy keys and forged author identities like build-bot to directly commit changes without PRs, and delivered two payload variants that either ran on every push or via workflow_dispatch triggers.
read more →

Embed AI Governance into Release Infrastructure

🚦The author argues that traditional post-hoc compliance reviews fail for AI because AI systems change continuously. Drawing on research into Chinese and EU approaches, the piece recommends embedding governance into CI/CD pipelines so model cards, data lineage and risk evaluations are generated and enforced as deployment gates. It also urges treating agent identity as first-class security control and positioning compliance as operational release infrastructure rather than a review layer.
read more →

Google Cloud launches AppLifecycle Manager Feature Flags

🔔 AppLifecycle Manager Feature Flags (ALM FF) enters public preview as a rule-based service to decouple feature releases from code deployments. By using toggles and the Common Expression Language (CEL), teams can perform gradual rollouts, instant kill-switches, and percentage-based traffic ramps. String-type flags enable dynamic configuration for applications, including LLM prompts, while OpenFeature compatibility avoids vendor lock-in.
read more →

GitHub Breach Linked to Malicious Nx Console Extension

🔒 GitHub said hackers accessed approximately 3,800 internal repositories after a developer installed a malicious version of the Nx Console Visual Studio Code extension that was poisoned during last week's TanStack npm supply-chain attack. The intrusion, linked to the actor known as TeamPCP, used stolen CI/CD credentials to move into multiple projects including UiPath, Guardrails AI and OpenSearch. GitHub secured the compromised device, rotated high-impact secrets and continues log analysis and monitoring to detect follow-on activity.
read more →

GitHub Internal Repositories Breached via VS Code Extension

🔒 GitHub confirmed an intrusion into internal repositories after an employee device was compromised by a poisoned version of the Nx Console VS Code extension published as nrwl.angular-console. The attacker, tracked as TeamPCP, exfiltrated approximately 3,800 repositories; GitHub says it rotated critical secrets and is monitoring for follow-on activity. The trojanized release was available for only 18 minutes but delivered a credential stealer targeting 1Password, Anthropic Claude Code, npm, GitHub and AWS.
read more →

Mini Shai Hulud: antv npm Packages Compromised in CI/CD

🔒 Microsoft disclosed an active supply-chain attack that compromised an @antv npm maintainer account and published malicious versions of charting libraries, including echarts-for-react. The obfuscated ~499 KB JavaScript payload executes during npm install and targets GitHub Actions runners to harvest secrets from GitHub, AWS, HashiCorp Vault, npm, Kubernetes and 1Password by scraping process memory and enumerating secret stores. The campaign leverages privilege escalation, dual-channel exfiltration, and SLSA provenance forgery to evade detection; GitHub removed malicious packages and invalidated exposed tokens.
read more →

Grafana breach traced to missed GitHub token rotation

🔐 Grafana confirmed its recent data breach stemmed from a single missed GitHub workflow token that was exfiltrated after malicious TanStack npm packages executed in its CI/CD environment. The company detected the intrusion on May 1, rotated most tokens, and launched its incident response, but one token was overlooked and allowed attackers repository access. Grafana says source code wasn't altered and no customer production systems were impacted.
read more →

Amazon ECS adds pause-and-continue deployment hooks

⏸️ Amazon Elastic Container Service (Amazon ECS) now supports configurable pause points in service deployments, allowing operators to halt progression at critical stages for manual approvals, tests, or operational checks. ECS emits Amazon EventBridge events at pause points and provides the ContinueServiceDeployment API to resume or rollback. Pause hooks support timeouts up to 14 days and configurable timeout actions. The feature integrates with native deployment strategies and is available across commercial and GovCloud Regions.
read more →

GitHub Actions Compromised via Imposter Commit Attack

🔒 Security researchers from StepSecurity report that the popular GitHub Actions workflow actions-cool/issues-helper was hijacked by attackers who moved existing tags to imposter commits in an adversary-controlled fork. The malicious commit downloads the Bun JavaScript runtime, reads memory from the Runner.Worker process to harvest CI/CD credentials, and exfiltrates them to an attacker-controlled domain. A second action, actions-cool/maintain-one-comment, had 15 tags similarly altered. GitHub has disabled repository access and only workflows pinned to full commit SHAs remain unaffected.
read more →

Kaspersky Container Security: Practical Team Insights

🔒 Kaspersky Container Security (KCS) is presented as a comprehensive platform that reaches beyond registry image scanning to secure container workflows across development and production. The Product Security Team uses KCS in CI/CD pipelines, registry correlation, and cluster runtime monitoring to tie findings to specific artifacts, pipelines, and scan times. KCS computes risk ratings, supports SBOM processing, and produces reports in SARIF, CycloneDX, SPDX and standard formats to integrate with AppSec and internal tooling.
read more →