StepSecurity's Harden Runner detected an unexpected Microsoft Defender installation on GitHub-hosted Ubuntu runners starting July 15, 2025. The wdavdaemon process was making anomalous outbound calls to Microsoft endpoints, which Harden Runner flagged within hours by comparing against established workflow baselines. GitHub confirmed the issue was an unintentional VM configuration error and has since corrected it. The incident highlights the value of runtime security monitoring in CI/CD pipelines: network anomaly detection caught an infrastructure change that would otherwise have gone unnoticed, and users in block mode were automatically protected. The post also references a prior March 2025 detection of the tj-actions/changed-files supply chain compromise using the same mechanism.
Table of contents
IntroductionThe Discovery: Anomalous Network Calls Raise Red FlagsGitHub's Response: Confirming the Unintentional InstallationHow Harden Runner Detected the AnomalyCommunity Tier: Network VisibilityEnterprise Tier: Deep Process IntelligenceThe Importance of Runtime Security in CI/CDProtecting Your Pipelines with Harden RunnerStart Monitoring in 60 SecondsConclusionSort: