🔥 The CI/CD Goat 🐐 just got wilder 🔥 Beat our new challenge and win a Gaming Keyboard!!! Thanks to Yaron Avital and Omer Gil for co-writing the challenge! github.com/cider-security…

Check out my new blog "How to secure your Open Source Project – A quick guide for developers" with examples for GitHub 🥳 cidersecurity.io/blog/research/…

If you're going to RSAConference this year and you want to see a new attack method, come see Omer Gil and myself talk about: Abuse of Repository Webhooks to Access Hundreds of Internal CI systems. rsaconference.com/usa/agenda/ses…

My DEF CON submission is accepted! Come see my talk 😄 The GitHub Actions Worm: Compromising GitHub repositories through the action dependency tree #defcon31

My submission got accepted to BSides Las Vegas!! Join me at the underground track 🤫 where I'll talk about: The GitHub Actions Worm: Compromising GitHub repositories through the action dependency tree 🌳

Highly inspired by our OWASP® Foundation Top 10 CI/CD Security Risks project, cool:)

The GitHub Actions Worm: Compromising GtHub repositories through the actions dependency tree! 🕜 Sat 1:30 pm PT, Track 3 at DEF CON 📺 Watch live here: twitch.tv/defcon_dctv_th…

How a worm 🪱 can be used to compromise GitHub repositories at scale through the Actions dependency tree🌲? The blog details a public disclosure out of many reported to #bugbounty programs This was first reveled at DEF CON 31 and BSides Las Vegas paloaltonetworks.com/blog/prisma-cl…

Hi Black Hat - I was shocked to discover that one of your Cyber Security Trainer and Review Board Members is also an antisemitic, a terror supporter who publicly denies Hamas Terror acts. Please remove Mohammed Aldoub م.محمد الدوب from his role immediately!

Use CVE-2024-27198 to freely access internal TeamCity instances, create admin access tokens, and steal secrets and configurations - even if the server is not exposed to the internet. How? 🧵 #1/10

What do you think is an important routine for a Security Researcher? I think it is reading Cyber news daily. Here are the most unique and high quality resources I've found about CI/CD attacks in the past 3 years: github.com/TupleType-1/aw… Thanks Omer Gil for the review!

I'll be speaking at BSIDES TLV !!! Join my session about a novel supply chain attack technique abusing GitHub Actions intended behavior to spread a worm 🪱. bsidestlv.com/agenda/the_git…

📚 tl;dr sec 234 🗡️ Awesome CI/CD Attacks Asi Greenholts 🤖 STRIDE GPT ☁️ Non Production AWS Attack Surface Nick Frichette 🛡️ Secure defaults Rami McCarthy 🛠️ WAF bypass tool shubs 💻 Hacking millions of routers Sam Curry tldrsec.com/p/tldr-sec-234

Right now on stage Asi Greenholts with “The GitHub Actions Worm: Compromising GitHub repositories through the actions dependency tree”! Join live: youtube.com/live/tlBnIA9FQ…

Thank you Yaniv Hoffman for inviting me to discuss about CI/CD security and my "Awesome CI/CD Attacks" project. We explored challenges, solutions, and key insights in this critical area of cybersecurity. youtube.com/watch?v=FiTERo…

Two great talks delivered in Vegas this year by our team - again! In this year’s hacker summer camp in LV, our Research team will stand on the DEF CON & BSides Las Vegas stages again, to share two novel research projects we’ve been working on recently: #HackerSummerCamp #defcon32

This Saturday I will be speaking at #DefCon32 about OIDC misconfigurations and abuses in the context of CI/CD 🥴👹. Come check it out! info.defcon.org/event/?id=54867 Palo Alto Networks #OIDC #oauth2 #ci #cd

New research our team released today, showing how we could push code to highly popular open source projects maintained by Google, AWS, Microsoft, & Red Hat, through a race condition in GitHub Actions. Go hunt critical #bugbounty issues ;) by Yaron Avital unit42.paloaltonetworks.com/github-repo-ar…

🚨 We know the real target behind the attack on tj-actions/changed-files! Coinbase! The first publicly known exploitation of the technique I presented at DEFCON 31: The GitHub Action Worm. Read the full story: unit42.paloaltonetworks.com/github-actions… By Omer Gil Yaron Avital Aviad and I