Overview I reported a subtle race condition in Google Cloud Build’s GitHub integration that could have allowed someone to bypass maintainer review when running pull request integrations tests. Google Cloud Build is a managed CI/CD platform that integrates with third-party source code management systems like GitHub. Since CI/CD systems are essentially code execution as a service, access control becomes very important. When a Google Cloud Build customer integrates with GitHub, they can config...| Adnan Khan's Blog
Overview I identified a High risk vulnerability impacting GitHub’s dependabot-core repository that could have allowed an attacker to conduct a supply chain attack on GitHub users by backdooring the Dependabot containers. The cause of the vulnerability was a race condition in a workflow that maintainers would trigger to perform integration testing on approved pull requests prior to merging. Background Continuous Integration / Continuous Delivery (CI/CD) pipelines for Open-Source (and even cl...| Adnan Khan's Blog
Introduction I’ve been doing a lot of scanning and reporting of GitHub Actions injection and pwn request vulnerabilities throughout GitHub. Most of my scanning and testing focused on workflows - that is yaml files in the .github/workfows directory - and my regexes didn’t look at files in other directories, such action.yml, which is used as the entry-point for any repository that functions as a reusable GitHub Action. At Defcon Asi Greenholts and his team from Palo Alto Networks outlined t...| Adnan Khan's Blog
I’ve been quite busy with hacking in my spare time, and most of my time has been dedicated to hacking, and most of my writing time has been allocated to reports. Now that I’m allowed to talk about some of my most impressive hacks I plan to post detailed writeups here so that the security community can be on the lookout for these kinds of attacks. The most significant vulnerability I reported was one that provided a path to backdoor the GitHub Actions runner images used for hosted builds o...| Adnan Khan's Blog
I’ve had the opportunity to speak at several information security conferences over the years. You can find all the talks I’ve given along with links to slides and recordings (if available). RomHack 2025 Recording Slides Slides in PDF Def Con 32 Recording Slides Slides in PDF| Adnan Khan's Blog
$ whoami I’m Adnan, a security engineer and researcher who likes learning about new ways to break software. My current focus has been CI/CD security and software supply chain attacks. You can find some of the open-source software I’ve developed on my GitHub! I've had the fortune to present some of my research at well-known cybersecurity conferences such as Black Hat and DEF CON. In this blog, you'll find write-ups on the research I've done and bug bounties I've earned along the way. For m...| Adnan Khan's Blog
North Korea's Lazarus hacker group compromised the Safe wallet frontend and pulled off a 1.4 billion dollar heist. It could happen again, but this time through GitHub.| Adnan Khan
In this post, I demonstrate Cacheract, which is an open source proof-of-concept for “Cache Native Malware’ that exploits GitHub Actions cache misconfigurations.| Adnan Khan's Blog
In this post, I cover how I discovered a CI/CD misconfiguration in the Release Drafter GitHub action and demonstrated how it could have directly impacted a Google owned open-source repository (and many more!) that used it by tag instead of SHA.| Adnan Khan's Blog
In just over a week, I’ll be speaking at Black Hat 2024 and DEF CON 32 along with my co-presenter, John Stawinski. We’re going to share our research on Self-Hosted GitHub Runner attacks…| Adnan Khan's Blog
What if there was a supply chain attack that could provide an attacker with direct access to core infrastructure within thousands of companies worldwide. What if that attack required no social engi…| Adnan Khan's Blog
GitHub Actions caching has some insecure design decisions that allow for some unique attacks. It’s considered working as intended, but there are many ways it can go wrong. Learn how I identif…| Adnan Khan's Blog
Learn about how I used a custom tool to find a Google-owned repository vulnerable to GitHub Actions Poisoned Pipeline Execution Attack and earned a $7,500 bug bounty!| Adnan Khan's Blog
Web3 has a weakness, and that is CI/CD security. Learn how I responsibly disclosed a Critical vulnerability in Astar Network’s GitHub repository that would have allowed attackers to conduct a…| Adnan Khan's Blog
Preface Let’s think for a moment what a nightmare supply chain attack could be. An attack that would be so impactful that it could be chained to target almost every company in the world. For an attacker to carry out such an attack they would need to insert themselves into a component fundamental to building the largest open-source software projects on the Internet. What would an attacker need to target in order to carry out this attack? Cloud infrastructure would certainly qualify. What abo...| Adnan Khan's Blog
