In one week, me and Adnan Khan will have the privilege of speaking at Black Hat USA and DEF CON 32.

It seems like yesterday I was sitting in the corner of my family’s gym in Essex, Vermont, trying to pass my OSCP exam so I could get my first job.

Two years later, I’m preparing an endless number of PowerPoint slides for what will be the two biggest talks of my career so far. Death by PowerPoint almost makes me wish I was back on hour 20 of my OSCP exam. Almost.

These talks are a culmination of CI/CD vulnerability research I performed with Adnan in 2023 and 2024. During this research, we identified CI/CD vulnerabilities in organizations like Google, Microsoft, PyTorch, TensorFlow, GitHub Actions, blockchains, and more, most of which could have caused critical supply chain attacks. I’m still shaken when I think about how catastrophic some of our exploits could have been in the hands of the bad guys.

We’ve written about several of our attack paths, but have saved many of the details hoping that we’d get accepted to a large conference like Black Hat or DEF CON.

Here’s an excerpt from our research introduction blog post back in January…we’ve been hinting (and hoping) at this for a while.

Excerpt from our PyTorch compromise blog post with another conference submission teaser. If you want to do some background reading, there’s a collection of articles we’ve released at the end of this post.

Miraculously, we got accepted to both conferences.

Our Black Hat and DEF CON talks are not the same. When submitting our CFPs, we made sure that we had enough unique content in each talk so that people could go to both with minimal content overlap.

Deciding which talks to attend at these massive conferences can be overwhelming. In this article, I’ll introduce each of our talks so you can decide if they should make your BH and DC lineup.

Breaking Down the Talks

Self-Hosted GitHub Runners: Continuous Integration, Continuous Destruction (Black Hat) is a high-level overview of our research. During this talk, we will show that there is a systemic lack of awareness around self-hosted CI/CD agent security in the world’s most advanced technological organizations, exposing them to critical supply chain attacks.

We’ll demonstrate this by walking through three case studies from our research. Each case study will have a unique attack path we identified to compromise a world-renown organization.

Date: Wednesday, August 7, 1:30pm-2:10pm ( South Seas AB, Level 3 )

Grand Theft Actions: Abusing Self-Hosted GitHub Runners at Scale (DEF CON) is a technical deep dive into the TTPs that allow us to turn trivial runner compromises into critical supply chain attacks.

We’ll still touch on the breadth of our research, but our goal in the DEF CON talk is to share detailed TTPs we’ve learned about self-hosted runner abuse, some of which we’ve never before shared publicly. We’ll explain these TTPs through one of our attacks that required extensive usage of GitHub Actions post-exploitation techniques to compromise a major player in the AI/ML industry.

Date: Saturday, August 10th, 12:00pm (LVCC – L1 – HW1-11-04)

Both talks will showcase critical CI/CD abuse cases that most of the tech community is unaware of. And of course, they’ll each have awesome war stories, as we share the progression of our research and the experiences we’ve had along the way.

So, Which Talk Should You Attend?

Both 🙂

And no, I am not biased, obviously.

If you have any interest in supply chain or CI/CD security, you will benefit from both talks. But if you have to pick one, here are some highlights of each that can help you decide.

Black Hat: Continuous Integration, Continuous Destruction	DEF CON: Grand Theft Actions
– Extensive overview of our research, showing the public self-hosted CI/CD threat landscape – More friendly to anyone new to CI/CD attacks – Technical details on self-hosted runner takeover attacks – Several cool war stories – New tool release – Defensive strategies	– In-depth look at one of our most impactful attacks – More catered to the CI/CD nerds (but will also have sufficient background information for beginners) – Technical details focused on GitHub Actions post-exploitation – One in-depth war story – New tool release – Defensive strategies

See You in LV!

Anyone who’s going to be in Vegas for the conferences, feel free to reach out. I’ve been humbled by how many people have been following our research, and would love to meet in person.

Want to hear more? Subscribe to the official John IV newsletter to receive live, monthly updates of my interests and passions.