Living Off the Pipeline: Defending Against CI/CD Subversion

A new analysis from SentinelOne's threat research team examines how modern adversaries are turning CI/CD pipelines into attack infrastructure — a technique researchers are calling "living off the pipeline" (LOTP). Much like traditional living-off-the-land (LOTL) attacks abuse legitimate system tools to evade detection, LOTP attacks leverage the trusted, high-privilege environment of build pipelines to execute malicious actions while blending into normal development workflows.

The CI/CD Attack Surface

Continuous integration and continuous delivery systems have become foundational to modern software development. Tools like GitHub Actions, GitLab CI, Jenkins, CircleCI, and ArgoCD run with elevated permissions, have access to production secrets, and execute code that flows directly into software releases. This makes them extraordinarily attractive to attackers.

The attack surface includes:

Pipeline configuration files (.github/workflows/*.yml, Jenkinsfile, .gitlab-ci.yml) — version-controlled alongside source code, often with limited review scrutiny.
Secrets and environment variables — API keys, signing certificates, cloud credentials, and deployment tokens injected at runtime.
Third-party actions and plugins — Reusable pipeline components that can be silently compromised upstream (as seen in the Trivy GitHub Actions breach and the TeamPCP mini-shai-hulud campaign).
Runner environments — Self-hosted runners in particular can persist compromised states across jobs.
Artifact registries — Build outputs that flow into downstream deployments.

How Adversaries Weaponize Pipelines

SentinelOne's research identifies several distinct techniques adversaries use to subvert CI/CD infrastructure:

Poisoned Pipeline Execution (PPE)

In a PPE attack, an adversary modifies pipeline configuration files in a branch or fork of a repository. If the pipeline executes on pull requests from forks — a common configuration — the malicious pipeline code runs within the trusted environment, with access to repository secrets.

Dependency Confusion and Typosquatting

Attackers publish malicious packages to public registries (npm, PyPI, RubyGems) with names that shadow private internal packages or closely resemble popular ones. When pipelines resolve dependencies, they pull the attacker-controlled version.

Compromised Actions or Plugins

Third-party GitHub Actions, Jenkins plugins, or CircleCI orbs can be silently compromised through maintainer account takeover, supply chain attacks on their own dependencies, or malicious tag manipulation. The Trivy Actions breach in early 2026, where 75 tags were hijacked to deliver an infostealer, demonstrated this vector at scale.

Secrets Exfiltration via Log Injection

Poorly sanitized pipeline output can expose secrets through log files, build artifacts, or debug output — particularly when verbose logging is enabled and build logs are publicly accessible.

Persistent Runner Compromise

Self-hosted runners that are not isolated between jobs can be compromised by a malicious job that leaves behind persistent implants — modifying global tool configurations, planting backdoored binaries in shared directories, or abusing shared credential caches.

The Behavioral Monitoring Imperative

Traditional signature-based security tools struggle with LOTP attacks because the malicious actions are performed using legitimate pipeline tools — curl, git, docker, aws, kubectl — indistinguishable from normal pipeline operations at the command level.

SentinelOne argues that continuous behavioral monitoring is the key defensive layer. Effective behavioral monitoring for CI/CD environments should:

Establish baselines — understand what normal pipeline execution looks like: which binaries run, which external endpoints are contacted, what data is accessed or transmitted.
Alert on anomalies — flag unexpected outbound network connections from build runners, unusual credential access patterns, spawning of unexpected child processes, or file system writes outside expected directories.
Monitor pipeline-as-code changes — treat workflow file modifications with the same review rigor as application code changes; require code owner approval for changes to .github/workflows/ directories.
Correlate across the pipeline lifecycle — link build events, deployment events, and runtime behavior to detect multi-stage attacks that span the CI/CD → production boundary.

Defensive Recommendations

Security teams responsible for CI/CD infrastructure should prioritize:

Pin all third-party Actions by commit SHA, not by mutable version tags. Tags can be moved; SHAs cannot. Example: uses: actions/checkout@8ade135... instead of uses: actions/checkout@v4.
Restrict fork pipeline permissions — Use pull_request_target triggers with care; never allow fork PRs to access repository secrets without explicit approval gates.
Apply least-privilege to pipeline tokens — Use fine-grained tokens scoped to the minimum required permissions. Avoid storing long-lived secrets in CI/CD environment variables when short-lived OIDC tokens are available (GitHub Actions supports OIDC-based AWS, GCP, and Azure auth without storing cloud credentials).
Audit pipeline dependencies regularly — Track all third-party actions, plugins, and dependencies; subscribe to security advisories for each.
Use ephemeral, isolated runners — Each job should run in a fresh, isolated environment that is torn down after completion. Avoid self-hosted persistent runners unless they are strictly necessary and hardened.
Enable GitHub's dependency review and secret scanning — These tools catch known-bad dependencies and accidentally committed secrets before they reach the pipeline.
Log and retain pipeline execution telemetry — Ensure build logs, runner audit trails, and secret access events are collected and retained in a SIEM for post-incident investigation.

The 2026 Context

The LOTP threat is not theoretical. The first half of 2026 has seen an unprecedented wave of CI/CD supply chain attacks: TeamPCP's mini-shai-hulud worm spreading through npm and infecting popular open-source packages; the Checkmarx KICS and Jenkins AST plugin breaches; the Trivy GitHub Actions tag hijack; and the SAP-related npm credential theft campaign. Each of these attacks used legitimate pipeline infrastructure as the attack vector or propagation mechanism.

Organizations that have invested in application security but neglected pipeline security are leaving a significant gap that adversaries are actively exploiting.

References

The CI/CD Attack Surface

The attack surface includes:

Pipeline configuration files (.github/workflows/*.yml, Jenkinsfile, .gitlab-ci.yml) — version-controlled alongside source code, often with limited review scrutiny.
Secrets and environment variables — API keys, signing certificates, cloud credentials, and deployment tokens injected at runtime.
Third-party actions and plugins — Reusable pipeline components that can be silently compromised upstream (as seen in the Trivy GitHub Actions breach and the TeamPCP mini-shai-hulud campaign).
Runner environments — Self-hosted runners in particular can persist compromised states across jobs.
Artifact registries — Build outputs that flow into downstream deployments.

How Adversaries Weaponize Pipelines

SentinelOne's research identifies several distinct techniques adversaries use to subvert CI/CD infrastructure:

Poisoned Pipeline Execution (PPE)

Dependency Confusion and Typosquatting

Compromised Actions or Plugins

Secrets Exfiltration via Log Injection

Poorly sanitized pipeline output can expose secrets through log files, build artifacts, or debug output — particularly when verbose logging is enabled and build logs are publicly accessible.

Persistent Runner Compromise

The Behavioral Monitoring Imperative

SentinelOne argues that continuous behavioral monitoring is the key defensive layer. Effective behavioral monitoring for CI/CD environments should:

Establish baselines — understand what normal pipeline execution looks like: which binaries run, which external endpoints are contacted, what data is accessed or transmitted.
Alert on anomalies — flag unexpected outbound network connections from build runners, unusual credential access patterns, spawning of unexpected child processes, or file system writes outside expected directories.
Monitor pipeline-as-code changes — treat workflow file modifications with the same review rigor as application code changes; require code owner approval for changes to .github/workflows/ directories.
Correlate across the pipeline lifecycle — link build events, deployment events, and runtime behavior to detect multi-stage attacks that span the CI/CD → production boundary.

Defensive Recommendations

Security teams responsible for CI/CD infrastructure should prioritize:

Pin all third-party Actions by commit SHA, not by mutable version tags. Tags can be moved; SHAs cannot. Example: uses: actions/checkout@8ade135... instead of uses: actions/checkout@v4.
Restrict fork pipeline permissions — Use pull_request_target triggers with care; never allow fork PRs to access repository secrets without explicit approval gates.
Apply least-privilege to pipeline tokens — Use fine-grained tokens scoped to the minimum required permissions. Avoid storing long-lived secrets in CI/CD environment variables when short-lived OIDC tokens are available (GitHub Actions supports OIDC-based AWS, GCP, and Azure auth without storing cloud credentials).
Audit pipeline dependencies regularly — Track all third-party actions, plugins, and dependencies; subscribe to security advisories for each.
Use ephemeral, isolated runners — Each job should run in a fresh, isolated environment that is torn down after completion. Avoid self-hosted persistent runners unless they are strictly necessary and hardened.
Enable GitHub's dependency review and secret scanning — These tools catch known-bad dependencies and accidentally committed secrets before they reach the pipeline.
Log and retain pipeline execution telemetry — Ensure build logs, runner audit trails, and secret access events are collected and retained in a SIEM for post-incident investigation.

The 2026 Context

Organizations that have invested in application security but neglected pipeline security are leaving a significant gap that adversaries are actively exploiting.

Living Off the Pipeline: Defending Against CI/CD Subversion

The CI/CD Attack Surface

How Adversaries Weaponize Pipelines

Poisoned Pipeline Execution (PPE)

Dependency Confusion and Typosquatting

Compromised Actions or Plugins

Secrets Exfiltration via Log Injection

Persistent Runner Compromise

The Behavioral Monitoring Imperative

Defensive Recommendations

The 2026 Context

References

Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials

SecurityScorecard Acquires Driftnet to Boost Third-Party Threat Intelligence

Living Off the Pipeline: Defending Against CI/CD Subversion

The CI/CD Attack Surface

How Adversaries Weaponize Pipelines

Poisoned Pipeline Execution (PPE)

Dependency Confusion and Typosquatting

Compromised Actions or Plugins

Secrets Exfiltration via Log Injection

Persistent Runner Compromise

The Behavioral Monitoring Imperative

Defensive Recommendations

The 2026 Context

References

Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials

SecurityScorecard Acquires Driftnet to Boost Third-Party Threat Intelligence