Microsoft Defender was unexpectedly installed on multiple workflow runs from mid-July through mid-August, causing abnormal network traffic. StepSecurity Harden Runner detected this infrastructure anomaly within hours, and GitHub Support has since resolved the issue

StepSecurity

StepSecurity's Harden Runner detected an unexpected Microsoft Defender installation on GitHub-hosted Ubuntu runners starting July 15, 2025. The wdavdaemon process was making anomalous outbound calls to Microsoft endpoints, which Harden Runner flagged within hours by comparing against established workflow baselines. GitHub confirmed the issue was an unintentional VM configuration error and has since corrected it. The incident highlights the value of runtime security monitoring in CI/CD pipelines: network anomaly detection caught an infrastructure change that would otherwise have gone unnoticed, and users in block mode were automatically protected. The post also references a prior March 2025 detection of the tj-actions/changed-files supply chain compromise using the same mechanism.

How StepSecurity Harden Runner Detected Unexpected Microsoft Defender Installation on GitHub-hosted Ubuntu Runners

The Discovery: Anomalous Network Calls Raise Red Flags

GitHub's Response: Confirming the Unintentional Installation

Enterprise Tier: Deep Process Intelligence

The Importance of Runtime Security in CI/CD

Protecting Your Pipelines with Harden Runner