Agent of Chaos: Hijacking NodeJS’s Jenkins Agents
When multiple DevOps platforms work together to execute pipelines for a single GitHub repository, it begs the question: Do these platforms get along? Node.js, the most popular JavaScript runtime in the world, uses a set of triplets to execute its CI/CD pipelines: a GitHub App, GitHub Actions workflows, and Jenkins pipelines. Like many children, parenting…
CodeQLEAKED – Public Secrets Exposure Leads to Supply Chain Attack on GitHub CodeQL
A potential supply chain attack on GitHub CodeQL started simply: a publicly exposed secret, valid for 1.022 seconds at a time. In that second, an attacker could take a series of steps that would allow them to execute code within a GitHub Actions workflow in most repositories using CodeQL, GitHub’s code analysis engine trusted by…
Living as a Digital Nomad in Innsbruck, Austria
In July 2022, I stepped off the train in Innsbruck, Austria, during a six-week backpacking trip. I stared at the spiny, massive mountains over the arch that guards the Old Town. I turned to my brother and said, “I’m going to live here someday.” A pic of the arch and the mountains from my first…
John Stawinski IV 