Under the Radar: How We Found 0-Days in the Build Pipeline of OSS Packages

Explore the critical yet often overlooked area of Build Pipelines in Open Source packages in this 20-minute conference talk. Discover how data analysis infrastructure was developed to target vulnerabilities, leading to the discovery of 0-days in major OSS projects including Terraform providers and modules, AWS Helm Charts, and popular GitHub Actions. Gain insights into a detailed attack tree for GitHub Actions pipelines, offering a deeper analysis than prior art and outlining attacks and mitigations. Learn about a unique reference for 'Living Off the Pipeline' (LOTP) components, designed to help Red and Blue teams prioritize more risky scenarios in supply chain security.