Category: Uncategorized
-
Agent of Chaos: Hijacking NodeJS’s Jenkins Agents
When multiple DevOps platforms work together to execute pipelines for a single GitHub repository, it begs the question: Do these platforms get along? Node.js, the most popular JavaScript runtime in the world, uses a set of triplets to execute its CI/CD pipelines: a GitHub App, GitHub Actions workflows, and Jenkins pipelines. Like many children, parenting…
-
CodeQLEAKED – Public Secrets Exposure Leads to Supply Chain Attack on GitHub CodeQL
A potential supply chain attack on GitHub CodeQL started simply: a publicly exposed secret, valid for 1.022 seconds at a time. In that second, an attacker could take a series of steps that would allow them to execute code within a GitHub Actions workflow in most repositories using CodeQL, GitHub’s code analysis engine trusted by…
-
Living as a Digital Nomad in Innsbruck, Austria
In July 2022, I stepped off the train in Innsbruck, Austria, during a six-week backpacking trip. I stared at the spiny, massive mountains over the arch that guards the Old Town. I turned to my brother and said, “I’m going to live here someday.” A pic of the arch and the mountains from my first…
-
Black Hat and DEF CON Preview: “Grand Theft Actions” or “Continuous Integration, Continuous Destruction”?
In one week, me and Adnan Khan will have the privilege of speaking at Black Hat USA and DEF CON 32. It seems like yesterday I was sitting in the corner of my family’s gym in Essex, Vermont, trying to pass my OSCP exam so I could get my first job. Two years later, I’m…
-
Fixing Typos and Breaching Microsoft’s Perimeter
Progressing through certifications, developing as a red teamer, breaking into Bug Bounty — many steps along my security journey have been difficult. One of the easiest things I’ve done was breach Microsoft’s perimeter. Two weeks before compromising a domain-joined Microsoft server, former coworker Adnan Khan discovered a critical supply chain vulnerability in GitHub’s Runner Images.…
-
Playing with Fire – How We Executed a Critical Supply Chain Attack on PyTorch
Security tends to lag behind adoption, and AI/ML is no exception. Four months ago, Adnan Khan and I exploited a critical CI/CD vulnerability in PyTorch, one of the world’s leading ML platforms. Used by titans like Google, Meta, Boeing, and Lockheed Martin, PyTorch is a major target for hackers and nation-states alike. Thankfully, we exploited…
-
Worse than SolarWinds: Three Steps to Hack Blockchains, GitHub, and ML through GitHub Actions
Six months ago, my friend and colleague Adnan Khan started researching a new class of CI/CD attacks. Adnan grasped the significance of these attacks after executing them against GitHub to gain total control of the GitHub Actions runner images. GitHub’s bug bounty program scored this vulnerability as “Critical” and paid a $20,000 reward. Following this…
-
Lessons from Solo Travelling
Simon realized he could see his shadow on the ocean floor. It took me a minute, but looking down from my board, I realized I could too – through eighteen feet of turbulent ocean water. So could Amara sitting next to us. We were the only people on this break, two hundred meters offshore from…
-
Scoring 100 Points on the New OSCP Exam: My Exam Experience
After investing thousands of hours into becoming a computer hacker, I’m still overwhelmed with how much there is to learn. Sometimes I’m so lost that I wonder if I have learned anything at all. This makes it hard to feel like I’ve improved. For me, the OSCP was about validating my growth and proving I…
-
2023 OSCP Study Guide (New Exam Format)
When Offsec announced the course update, I was nervous. I had no idea what Active Directory was, and now it was the most important section of the exam. Not ideal. Especially because I was one of the first people to attempt the new exam format, which meant there were very few updated study guides. In…
John Stawinski IV 