All CosmicBytez Labs articles tagged #CI/CD, across news, security advisories, how-to guides, and projects.
Novee Security researchers have identified a critical exploitable CI/CD workflow pattern dubbed Cordyceps that enables attackers to hijack GitHub Actions...
Security researchers have disclosed a class of exploitable flaws in CI/CD pipeline configurations that allow unauthenticated attackers to take full...
GitHub released actions/checkout v7 on June 18, 2026, adding default protections that refuse to fetch fork PR code inside pull_request_target workflows —...
A Russian IAB harvests 110M credentials from FortiGate firewalls; the Icarus group drains hundreds of Salesforce orgs via Klue OAuth tokens; a 29-year-old...
Cybersecurity researchers have uncovered Megalodon, an automated attack campaign that pushed 5,718 malicious commits to over 5,500 GitHub repositories in...
Threat actors have compromised the widely-used actions-cool/issues-helper GitHub Action, redirecting every existing tag to a malicious imposter commit...
A command injection vulnerability in WebdriverIO below version 9.24.0 allows remote code execution through malicious git branch names containing shell...
Adversaries are increasingly weaponizing CI/CD pipelines as a living-off-the-land vector — abusing trusted build infrastructure to execute attacks without...
A new supply chain attack campaign dubbed BufferZoneCorp has been observed using sleeper packages in RubyGems and Go module registries to push...
Google has patched a maximum severity vulnerability in its Gemini CLI npm package and GitHub Actions workflow that allowed unprivileged attackers to...
The open-source Trivy security scanner was weaponized by threat actor TeamPCP in a supply chain attack that hijacked 75 release tags to deploy an...
Trivy, Aqua Security's widely used open-source vulnerability scanner, was compromised a second time in a month. Attackers hijacked 75 GitHub Actions tags...
A critical SSRF vulnerability (CVSS 9.1) in Spinnaker's clouddriver and orca components bypasses the previous CVE-2025-61916 URL validation patch through...
Threat actor UNC6426 leveraged stolen credentials from last year's nx npm supply chain attack to achieve full AWS administrator access at a victim...
Transform Claude Code from a chatbot into a DevOps co-pilot. Set up CLAUDE.md templates, custom hooks, reusable agents, deployment skills, and MCP server...
Pre-deployment checklist for launching new applications into production — security review gates, monitoring setup, rollback procedures, dependency...
Harden your CI/CD pipeline by replacing long-lived secrets with OIDC short-lived tokens, pinning third-party actions to commit SHAs, enforcing...
Build a secure CI/CD pipeline with GitHub Actions deploying to Azure. Covers build, test, security scanning (SAST/DAST), and deployment with OIDC...