
CI/CD Pipeline Hijack: GitHub Actions Compromise
Investigate the March 2025 GitHub Actions supply-chain compromise involving tj-actions/changed-files and reviewdog/action-setup. A compromised action version tag caused Linux CI runners to execute malicious payload logic and expose CI/CD secrets in workflow logs using double-base64 encoding. Analyze SIEM and XDR telemetry to identify the affected action, runner identity, payload execution, detection source, and secret-exposure pattern, then decide which artifacts are malicious versus benign threat-intelligence lookups.
Start this operation
Investigation Tasks
Complete each task by investigating alerts and submitting your findings.
Establish Who Drove the Pipeline Activity
5You have been paged on a suspected CI/CD compromise affecting the GitHub Actions environment. Early in the shift, an automated alert flags an unusual execution pattern on a build runner. Before reconstructing what happened, establish whose identity was driving the automated activity on the runner around that alert, so later steps can separate legitimate automation from abuse.
Pin Down the Hijacked Pipeline Dependency
5Having tied the runner activity to the automation account, turn to how the malicious code entered the pipeline. CloudTrail telemetry for the GitHub API proxy shows a third-party GitHub Action having its version tag rewritten in the days before the incident. Identify which GitHub Action dependency was tampered with to become the foothold in this supply-chain compromise.
Trace the Setup Action Pulled Into the Run
10With the tampered action identified, examine how the runner environment was staged when the poisoned workflow executed. The telemetry around the unusual connection from the Linux runner shows a third-party setup utility being pulled in during the environment-initialization phase of the job. Identify that setup action file referenced in the runner artifacts.
Identify the Payload Executed on the Runner
10The poisoned action and its setup dependency gave the attacker code execution inside the job. Runner telemetry then records a shell script being fetched from a GitHub Gist and run on the Linux runner. Identify the payload filename recorded in the runner telemetry for that execution.
Determine How the Attacker Hunted for Secrets
5With code running on the runner, the next goal was credential access. Shortly after the payload executed, the runner telemetry shows a tool sweeping the workflow filesystem and process memory for exposed secrets. Identify the secret-scanning tool that was invoked on the Linux runner.
Characterize How the Stolen Secrets Were Staged
5The scanning step surfaced credentials, and the attacker needed to get them out of the ephemeral runner. The GitHub Actions run exposed the harvested secret material directly in the publicly visible workflow logs, obscured rather than left in plaintext. Determine the encoding pattern recorded for that exposed secret data.
Find What Opened the Network Path for Exfiltration
5Exfiltrating the harvested data required reaching out from the environment. Around the same window, a CloudTrail event on the GitHub API proxy records an AuthorizeSecurityGroupIngress API call that loosened the network controls. Review the SIEM telemetry for that event to determine which source IP address initiated the security-group change.
Assess Which Sensor Gave Us Visibility
5Having reconstructed the supply-chain compromise end to end, close the loop on detection coverage. A potential breach on the GitHub API proxy was flagged and labeled in the log-management system during the incident. Determine which security monitoring component first ingested and labeled that event, so the team understands where its visibility came from.
8 tasks · 50 points total
Training Tools
Skills You'll Build
Requires foundational alert triage skills. Multiple data sources to correlate.
Prerequisites
- Basic understanding of security alerts
- Familiarity with SIEM concepts
- Familiarity with XDR concepts
Ready to investigate?
More Operations
View allCredential Harvesting: The Lookalike Login
Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.
Malicious npm Package: Postinstall Infostealer
A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.
QR Code Phishing: Scan to Compromise
In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.