SC-PYTORCH-RUNNER-2024
CI/CD · GitHub Actions · pytorch/pytorch
Summary
On January 11, 2024 Praetorian researchers John Stawinski and Adnan Khan publicly disclosed a critical supply-chain attack against PyTorch's GitHub Actions CI, originally reported on August 9, 2023. They first merged a trivial markdown typo fix, which promoted their account to a returning contributor whose pull-request workflows no longer required manual approval. PyTorch ran CI on persistent, non-ephemeral self-hosted runners left at GitHub's default setting that lets fork pull-request workflows execute on them, so a malicious draft PR running a curl-pipe-bash payload executed attacker code directly on the long-lived runner. Because the runner was not torn down between jobs, the attackers stole the runner's GitHub Actions registration token plus a write-scoped GITHUB_TOKEN, the GH_PYTORCHBOT_TOKEN and UPDATEBOT_TOKEN personal access tokens reaching 90-plus repositories, and the aws-pytorch-uploader AWS keys. This was a textbook self-hosted-runner plus fork-PR poisoned pipeline execution (pwn request) that enabled release and S3 artifact poisoning of distributed PyTorch binaries.
How to avoid it in your code
- Use ephemeral, single-job isolated self-hosted runners so attacker code cannot persist and harvest later jobs' credentials.
- Require manual approval for workflows from first-time and fork contributors, and do not auto-trust returning contributors.
- Never let fork pull-request workflows run on self-hosted runners holding secrets or cloud keys.
- Scope GITHUB_TOKEN to read-only by default and avoid storing broad PATs and AWS keys on build runners.
- Move release and artifact uploads behind short-lived OIDC cloud roles with environment protection rules and required reviewers.
References
- https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch/
- https://www.praetorian.com/blog/tensorflow-supply-chain-compromise-via-self-hosted-runner-attack/
- https://www.csoonline.com/article/1290656/researchers-demo-new-ci-cd-attack-techniques-in-pytorch-supply-chain-attack.html
- https://github.com/jstawinski/GitHub-Actions-Attack-Diagram
Related vulnerabilities
All Supply chain →- MEDIUMGHSA-X7CF-6GP3-Q5F8
Duplicate Advisory: MCP Streamable HTTP redirects could forward configured custom headers to another origin
- HIGHGHSA-F989-C77F-R2CQ
Crawl4AI: LLM credential exfiltration in Docker server via request base_url and env: token resolution
- HIGHSC-ARTIPACKED-2024
On August 13, 2024, Palo Alto Networks Unit 42 published ArtiPACKED, a widespread CI/CD misconfiguration class in which GitHub Actions build artifacts inadvertently leaked authentication tokens, affecting major open-source projects from Google, Microsoft, Red Hat, AWS, Canonical, and OWASP. The root cause is that actions/checkout persists credentials by default, writing the workflow's GITHUB_TOKEN into the checked-out .git/config for authenticated Git operations; when a later step uploaded the workspace (test results, build output, or the full checkout directory) via actions/upload-artifact, the .git directory and its embedded token, along with environment-derived secrets and cloud credentials, were packaged into the downloadable artifact. Because v4 artifacts can be downloaded while the run is still in progress and are readable by anyone for public repositories, an attacker could win a race condition: download the artifact, extract the still-valid GITHUB_TOKEN before the job completed and the token expired, and use it to push code, create branches, or pivot into connected cloud environments. Unit 42 identified numerous large projects leaking tokens this way and disclosed each responsibly for remediation.
- CRITICALSC-GITLAB-PIPELINE-2024
CVE-2024-6385 was a critical improper access control flaw in GitLab Community and Enterprise Edition disclosed on July 11, 2024, affecting versions from 15.8 before 16.11.6, 17.0 before 17.0.4, and 17.1 before 17.1.2, that under certain circumstances let an attacker trigger and run a CI/CD pipeline as another, arbitrary user. The bug stemmed from the pipeline-triggering logic failing to correctly validate the identity of the user on whose behalf a pipeline was started, so jobs executed with the victim's permissions, CI_JOB_TOKEN, and access to their CI/CD secrets such as cloud tokens, Kubernetes service accounts, and attached identities, enabling privilege escalation across the platform. It was effectively a re-fix of CVE-2024-5655 (also critical, disclosed late June 2024), whose root cause was that merge requests automatically retargeted to a new branch upon merge would inadvertently trigger pipeline execution as the original author without manual initiation, with GraphQL CI_JOB_TOKEN authentication being disabled by default as part of the mitigation. Both flaws were rated critical by GitLab and prompted urgent patch guidance.
- HIGHSC-DEPENDABOT-IMPERSONATION-2023
Between July 8 and July 11, 2023, in a campaign documented by Checkmarx, attackers pushed malicious commits to hundreds of public and private GitHub repositories while disguising them as automated contributions from the legitimate Dependabot bot. The attackers obtained victims' GitHub Personal Access Tokens, likely exfiltrated from developer machines via a malicious open-source package, and used those tokens to push commits whose author and commit message ('fix') were falsified to appear as the dependabot[bot] account, since Git and the GitHub API let a token holder set arbitrary commit metadata and PAT activity does not surface in the account audit log. Each malicious commit added a GitHub Actions workflow file (hook.yml) that triggered on every push and exfiltrated the project's defined secrets and environment variables to an attacker-controlled command-and-control server. The same commits modified existing JavaScript files in the repository, injecting obfuscated web-form password-stealer code that captured credentials submitted by end users and forwarded them to the same server. Most affected accounts belonged to Indonesian developers.
- HIGHSC-CRED-HYGIENE-CICDSEC6-2023
Insufficient credential hygiene is the class in which long-lived, broadly-scoped secrets such as cloud access keys, registry tokens, and signing keys are stored as static CI variables, so any pipeline compromise (or any poisoned-pipeline, OIDC, or cache attack) yields durable, high-blast-radius credentials. The root mechanism is that static secrets do not expire, are often shared across projects, and grant standing access far beyond a single build, so theft of the CI platform's secret store or of a single workflow's environment converts a transient foothold into persistent access to production cloud and registry accounts. The CircleCI breach of January 2023 is the canonical illustration: malware on an engineer's laptop stole a valid 2FA-backed SSO session, letting attackers exfiltrate customers' environment variables, API tokens, and SSH keys, and CircleCI had to invalidate project tokens and instruct every customer to rotate all stored secrets, a platform-wide rotation that demonstrated the systemic cost of static-credential dependence. OWASP catalogues this as CICD-SEC-6 and recommends short-lived OIDC tokens and least privilege as the structural fix.