A critical AWS CodeBuild vulnerability (CVE-2025-8217) allowed malicious pull requests to dump secrets from CI/CD build memory, enabling attackers to steal repository access tokens. The technique mirrors the March 2025 tj-actions/changed-files GitHub Actions supply chain attack (CVE-2025-30066), where compromised actions read runner process memory via /proc to exfiltrate credentials. Key defenses include deploying runtime monitoring agents like StepSecurity Harden-Runner to detect memory reads, anomalous network calls, and reverse shells; enforcing least-privilege credentials; and disabling automatic builds for untrusted pull requests.
Table of contents
Understanding the Attack TechniqueReal-World Impact: GitHub Actions Memory-Dump AttacksHow StepSecurity Harden-Runner Detects Memory-Based AttacksBeyondMemory Dumps: Comprehensive CI/CD Security with Harden-RunnerRecommended Best Practices to Mitigate CI/CD Pipeline RisksSummarySort: