Skip to main content
CI/CD Pipeline Hijack: GitHub Actions Compromise operation cover
IntermediateSIEMXDR

CI/CD Pipeline Hijack: GitHub Actions Compromise

Investigate the March 2025 GitHub Actions supply-chain compromise involving tj-actions/changed-files and reviewdog/action-setup. A compromised action version tag caused Linux CI runners to execute malicious payload logic and expose CI/CD secrets in workflow logs using double-base64 encoding. Analyze SIEM and XDR telemetry to identify the affected action, runner identity, payload execution, detection source, and secret-exposure pattern, then decide which artifacts are malicious versus benign threat-intelligence lookups.

50m
8 tasks
50 points
Free

Start this operation

Investigation Tasks

Complete each task by investigating alerts and submitting your findings.

1

Establish Who Drove the Pipeline Activity

5

You have been paged on a suspected CI/CD compromise affecting the GitHub Actions environment. Early in the shift, an automated alert flags an unusual execution pattern on a build runner. Before reconstructing what happened, establish whose identity was driving the automated activity on the runner around that alert, so later steps can separate legitimate automation from abuse.

SOC{...}Hint available
2

Pin Down the Hijacked Pipeline Dependency

5

Having tied the runner activity to the automation account, turn to how the malicious code entered the pipeline. CloudTrail telemetry for the GitHub API proxy shows a third-party GitHub Action having its version tag rewritten in the days before the incident. Identify which GitHub Action dependency was tampered with to become the foothold in this supply-chain compromise.

SOC{...}Hint available
3

Trace the Setup Action Pulled Into the Run

10

With the tampered action identified, examine how the runner environment was staged when the poisoned workflow executed. The telemetry around the unusual connection from the Linux runner shows a third-party setup utility being pulled in during the environment-initialization phase of the job. Identify that setup action file referenced in the runner artifacts.

SOC{...}Hint available
4

Identify the Payload Executed on the Runner

10

The poisoned action and its setup dependency gave the attacker code execution inside the job. Runner telemetry then records a shell script being fetched from a GitHub Gist and run on the Linux runner. Identify the payload filename recorded in the runner telemetry for that execution.

SOC{...}Hint available
5

Determine How the Attacker Hunted for Secrets

5

With code running on the runner, the next goal was credential access. Shortly after the payload executed, the runner telemetry shows a tool sweeping the workflow filesystem and process memory for exposed secrets. Identify the secret-scanning tool that was invoked on the Linux runner.

SOC{...}Hint available
6

Characterize How the Stolen Secrets Were Staged

5

The scanning step surfaced credentials, and the attacker needed to get them out of the ephemeral runner. The GitHub Actions run exposed the harvested secret material directly in the publicly visible workflow logs, obscured rather than left in plaintext. Determine the encoding pattern recorded for that exposed secret data.

SOC{...}Hint available
7

Find What Opened the Network Path for Exfiltration

5

Exfiltrating the harvested data required reaching out from the environment. Around the same window, a CloudTrail event on the GitHub API proxy records an AuthorizeSecurityGroupIngress API call that loosened the network controls. Review the SIEM telemetry for that event to determine which source IP address initiated the security-group change.

SOC{...}Hint available
8

Assess Which Sensor Gave Us Visibility

5

Having reconstructed the supply-chain compromise end to end, close the loop on detection coverage. A potential breach on the GitHub API proxy was flagged and labeled in the log-management system during the incident. Determine which security monitoring component first ingested and labeled that event, so the team understands where its visibility came from.

SOC{...}Hint available

8 tasks · 50 points total

Training Tools

Skills You'll Build

Investigate realistic security alerts
SIEM log analysis
XDR log analysis
MITRE ATT&CK® technique identification
Triage decisions: escalate, investigate, or close
Evidence collection and documentation
Job-ready incident response methodology
Intermediate

Requires foundational alert triage skills. Multiple data sources to correlate.

Prerequisites

  • Basic understanding of security alerts
  • Familiarity with SIEM concepts
  • Familiarity with XDR concepts

Ready to investigate?

More Operations

View all
BeginnerSIEM

Credential Harvesting: The Lookalike Login

Investigate an adversary-in-the-middle (AiTM) credential phishing campaign that lured an employee to a lookalike Microsoft 365 login page. Working entirely from SIEM logs, you will identify the lookalike domain, reconstruct the multi-hop redirect chain through a compromised legitimate site, uncover a secondary phishing wave against another employee, and confirm account takeover in Azure AD sign-in logs via impossible travel and session-token replay. You finish by choosing the containment action that actually evicts an attacker holding a valid session token. Foundational skills for SOC analysts in lookalike-domain analysis and identity-centric incident response.

40m25 pts
BeginnerXDRSIEM

Malicious npm Package: Postinstall Infostealer

A developer at a software company installs a typosquatted npm package. The package's postinstall hook silently reads environment variables, SSH keys, and cloud credentials from the user profile and POSTs them to an attacker endpoint before the terminal even finishes. Trace the process tree, the file reads, and the exfiltration traffic to reconstruct the full chain.

25m25 pts
BeginnerSIEM

QR Code Phishing: Scan to Compromise

In this scenario, you will investigate a modern 'Quishing' (QR phishing) attack that bypassed traditional email filters by hiding its payload inside an image. You will trace the full chain: a spoofed MFA-enrollment lure sent from purpose-built infrastructure, a redirect server that conceals the final destination, and an Evilginx-style adversary-in-the-middle page that stole an authenticated session cookie despite MFA. You will then follow the attacker's post-compromise moves — Graph API mailbox enumeration, SharePoint exfiltration, and a hidden inbox forwarding rule — and choose the containment action that actually evicts them.

30m25 pts