GitHub Actions exploitation: self hosted runners
Common Information
Type Value
UUID 5ccfcc21-99e8-4808-b4dc-7b8301de13f3
Fingerprint 1d64751d4d325aea
Analysis status DONE
Considered CTI value 0
Text language
Published July 17, 2024, midnight
Added to db Aug. 31, 2024, 10:48 a.m.
Last updated Nov. 18, 2024, 11:24 a.m.
Headline GitHub Actions exploitation: self hosted runners
Title GitHub Actions exploitation: self hosted runners
Detected Hints/Tags/Attributes 45/1/23
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 414 Last Blog Article https://www.synacktiv.com/en/feed/lastblog.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 1
exfil.sh
Details Domain 39
run.sh
Details Domain 1
run-helper.sh
Details Domain 1
c146c643-e8b1-4247-95f6-da15630cfa23.sh
Details Domain 1
rssysstat.sh
Details Domain 2
docker.pid
Details Domain 5
npmjs.org
Details Domain 4131
github.com
Details Domain 1
adnanthekhan.com
Details Domain 10
www.praetorian.com
Details File 34
next.js
Details File 1
exfil.txt
Details File 5
token.txt
Details File 674
node.js
Details Github username 7
praetorian-inc
Details Github username 5
synacktiv
Details Url 1
https://ip.ip.ip.ip/static/exfil.sh
Details Url 1
https://ip.ip.ip.ip/upload
Details Url 2
https://github.com/praetorian-inc/gato
Details Url 3
https://github.com/synacktiv/octoscan
Details Url 1
https://adnanthekhan.com/2023/12/20/one-supply-chain-attack-to-rule-the
Details Url 1
https://www.praetorian.com/blog/tensorflow-supply-chain-compromise-via-self-hosted-runner-attack
Details Url 1
https://johnstawinski.com/2024/01/11/playing-with-fire-how-we-executed-a-critical-supply-chain-attack-on-pytorch