Abusing GitHub for Fun and Profit - Actions and Codespaces Security

Explore the security vulnerabilities in GitHub Actions and Codespaces in this comprehensive conference talk. Delve into how attackers can exploit these popular GitHub features for malicious purposes, including crypto mining, malware delivery, and targeting Azure networks. Learn about real-world exploitation scenarios and proof-of-concept examples derived from threat modeling analysis. Gain practical insights on detecting, avoiding, and preventing attacks to secure codebases and pipelines. Discover the infection chain of GitHub and Netlify abuse, automation techniques using Dev-Containers and GitHub CLI, and the potential misuse of Windows, Linux, and macOS runners. Understand how malicious actors can leverage the GitHub Actions marketplace and execute pivoting attacks. Acquire valuable countermeasures and recommendations to protect your software supply chain platform and enhance your overall GitHub security posture.

Intro
Infection Chain of GitHub/Netlify Abuse
Automate w/ Dev-Containers & GitHub CLI
Attacker's Dev-Container Config
Malware Abusing Codespaces
Actions Overview
GHA Marketplace
Abusing Windows Runners pt 2
List of repos with the SAME code!
Abusing Linux Runners
Abusing macOS Runners
Run nmap inside the Azure network
Reverse shell from the Runner
Pivot attacks using Runners
Malicious GitHub Actions
GHA Countermeasures
Codespaces Recommendations