GHSA-X7CF-6GP3-Q5F8

Crawl4AI: LLM credential exfiltration in Docker server via request base_url and env: token resolution

On August 13, 2024, Palo Alto Networks Unit 42 published ArtiPACKED, a widespread CI/CD misconfiguration class in which GitHub Actions build artifacts inadvertently leaked authentication tokens, affecting major open-source projects from Google, Microsoft, Red Hat, AWS, Canonical, and OWASP. The root cause is that actions/checkout persists credentials by default, writing the workflow's GITHUB_TOKEN into the checked-out .git/config for authenticated Git operations; when a later step uploaded the workspace (test results, build output, or the full checkout directory) via actions/upload-artifact, the .git directory and its embedded token, along with environment-derived secrets and cloud credentials, were packaged into the downloadable artifact. Because v4 artifacts can be downloaded while the run is still in progress and are readable by anyone for public repositories, an attacker could win a race condition: download the artifact, extract the still-valid GITHUB_TOKEN before the job completed and the token expired, and use it to push code, create branches, or pivot into connected cloud environments. Unit 42 identified numerous large projects leaking tokens this way and disclosed each responsibly for remediation.

On January 11, 2024 Praetorian researchers John Stawinski and Adnan Khan publicly disclosed a critical supply-chain attack against PyTorch's GitHub Actions CI, originally reported on August 9, 2023. They first merged a trivial markdown typo fix, which promoted their account to a returning contributor whose pull-request workflows no longer required manual approval. PyTorch ran CI on persistent, non-ephemeral self-hosted runners left at GitHub's default setting that lets fork pull-request workflows execute on them, so a malicious draft PR running a curl-pipe-bash payload executed attacker code directly on the long-lived runner. Because the runner was not torn down between jobs, the attackers stole the runner's GitHub Actions registration token plus a write-scoped GITHUB_TOKEN, the GH_PYTORCHBOT_TOKEN and UPDATEBOT_TOKEN personal access tokens reaching 90-plus repositories, and the aws-pytorch-uploader AWS keys. This was a textbook self-hosted-runner plus fork-PR poisoned pipeline execution (pwn request) that enabled release and S3 artifact poisoning of distributed PyTorch binaries.

Between July 8 and July 11, 2023, in a campaign documented by Checkmarx, attackers pushed malicious commits to hundreds of public and private GitHub repositories while disguising them as automated contributions from the legitimate Dependabot bot. The attackers obtained victims' GitHub Personal Access Tokens, likely exfiltrated from developer machines via a malicious open-source package, and used those tokens to push commits whose author and commit message ('fix') were falsified to appear as the dependabot[bot] account, since Git and the GitHub API let a token holder set arbitrary commit metadata and PAT activity does not surface in the account audit log. Each malicious commit added a GitHub Actions workflow file (hook.yml) that triggered on every push and exfiltrated the project's defined secrets and environment variables to an attacker-controlled command-and-control server. The same commits modified existing JavaScript files in the repository, injecting obfuscated web-form password-stealer code that captured credentials submitted by end users and forwarded them to the same server. Most affected accounts belonged to Indonesian developers.

Insufficient credential hygiene is the class in which long-lived, broadly-scoped secrets such as cloud access keys, registry tokens, and signing keys are stored as static CI variables, so any pipeline compromise (or any poisoned-pipeline, OIDC, or cache attack) yields durable, high-blast-radius credentials. The root mechanism is that static secrets do not expire, are often shared across projects, and grant standing access far beyond a single build, so theft of the CI platform's secret store or of a single workflow's environment converts a transient foothold into persistent access to production cloud and registry accounts. The CircleCI breach of January 2023 is the canonical illustration: malware on an engineer's laptop stole a valid 2FA-backed SSO session, letting attackers exfiltrate customers' environment variables, API tokens, and SSH keys, and CircleCI had to invalidate project tokens and instruct every customer to rotate all stored secrets, a platform-wide rotation that demonstrated the systemic cost of static-credential dependence. OWASP catalogues this as CICD-SEC-6 and recommends short-lived OIDC tokens and least privilege as the structural fix.

Between September 3 and September 10, 2021 a flaw in Travis CI's build activation process, tracked as CVE-2021-41077 and disclosed publicly on September 13, caused secure environment variables to be injected into builds they should never reach. Secret data normally restricted to the private context of a repository was unexpectedly shared with builds triggered by pull requests from forks of public repositories, contradicting the customer's .travis.yml configuration. As a result anyone could fork a public project, open a pull request, and simply print the build environment to read the upstream project's secret environment variables, exposing signing keys, access credentials, and API tokens across thousands of open-source projects. This was a secret-exfiltration-to-forked-builds class flaw; Ethereum's Felix Lange flagged it on September 7 and Travis CI silently patched it on September 10 with no initial post-mortem, prompting affected projects such as conda-forge to rotate roughly 70 feedstock tokens.