A detailed analysis of the Ultralytics CI/CD security breach where attackers exploited shell injection and pwn request vulnerabilities in GitHub Actions workflows to exfiltrate secrets, poison build caches, and inject cryptominers into PyPI releases v8.3.41 and v8.3.42. The post walks through the attack timeline, the two specific vulnerabilities (unsanitized inputs in ultralytics/actions and dangerous use of pull_request_target), and demonstrates how StepSecurity Harden-Runner in audit and block modes could have detected or prevented the attack by monitoring network egress and blocking connections to unauthorized endpoints.
Table of contents
IntroductionIncident OverviewWhat was the GitHub Actions Vulnerability?How the Adversary Compromised CI/CDHarden-Runner OverviewSimulate the Incident with Harden-RunnerSummaryReferencesSort: