Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Grand Theft Actions - Abusing Self-Hosted GitHub Runners for Supply Chain Attacks

DEFCONConference via YouTube

Overview

Explore critical security vulnerabilities in GitHub Actions through this DEF CON conference talk that reveals how self-hosted runners can be exploited for supply chain attacks. Learn about the researchers' discovery of widespread GitHub Actions misconfigurations that enabled potential backdoors in major open-source projects, including a detailed case study of their attack on PyTorch. Understand the techniques, tactics, and procedures for escalating privileges within GitHub Actions workflows, starting from compromised self-hosted runners. Discover how insecure defaults in GitHub's security model create systemic vulnerabilities that expose projects to critical attacks from the public internet. Gain insights from the researchers' extensive campaign that resulted in numerous security reports and substantial bug bounties, while understanding the broader implications for CI/CD security in open-source projects, startups, and enterprises.

Syllabus

DEF CON 32 - Grand Theft Actions Abusing Self Hosted GitHub Runners - Adnan Khan, John Stawinski

Taught by

DEFCONConference

Reviews

Start your review of Grand Theft Actions - Abusing Self-Hosted GitHub Runners for Supply Chain Attacks

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.