Executive Summary
In 2025, a series of sophisticated cyberattacks targeted Continuous Integration and Continuous Deployment (CI/CD) pipelines, exploiting vulnerabilities within these automated software delivery systems. Attackers gained unauthorized access to build servers and developer environments, injecting malicious code that was seamlessly integrated into legitimate software releases. This method allowed adversaries to distribute malware widely, compromising numerous organizations and leading to significant data breaches and operational disruptions. The incidents underscored the critical need for enhanced security measures within CI/CD processes to prevent such supply chain attacks.
These attacks highlight a growing trend where cybercriminals focus on the software supply chain, recognizing the potential to infiltrate multiple organizations through a single compromised pipeline. The increasing reliance on automated development tools necessitates a reevaluation of security protocols to safeguard against such pervasive threats.
Why This Matters Now
The surge in CI/CD pipeline attacks in 2025 underscores the urgent need for organizations to fortify their software development processes. As cybercriminals increasingly exploit these automated systems, implementing robust security measures is critical to prevent widespread supply chain compromises.
Attack Path Analysis
An attacker compromised a self-hosted TeamCity server, escalating privileges to create a malicious build configuration. This allowed lateral movement within the CI/CD environment, establishing command and control through the build pipeline. The attacker exfiltrated sensitive data and impacted the software supply chain by injecting backdoors into build artifacts.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited a vulnerability in a self-hosted TeamCity server to gain unauthorized access.
Related CVEs
CVE-2024-9164
CVSS 8.8A vulnerability in GitLab Enterprise Edition allows unauthorized users to trigger CI/CD pipelines on any branch, potentially leading to code execution or access to sensitive information.
Affected Products:
GitLab GitLab Enterprise Edition – 12.5 < 17.2.9, 17.3 < 17.3.5, 17.4 < 17.4.2
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Poisoned Pipeline Execution
Compromise Software Dependencies and Development Tools
Software Deployment Tools
Unsecured Credentials
Valid Accounts
Account Manipulation
Command and Scripting Interpreter
Abuse Elevation Control Mechanism
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Separation of Duties
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
CI/CD pipeline subversion directly targets build servers, repositories, and developer workstations, compromising trusted software delivery infrastructure with elevated privileges.
Financial Services
Supply chain attacks bypass traditional perimeter defenses, threatening payment systems and trading platforms while potentially violating PCI and banking compliance requirements.
Health Care / Life Sciences
Compromised development pipelines can inject malware into medical device software and patient systems, creating HIPAA violations and patient safety risks.
Computer/Network Security
Security vendors face reputational damage when their own CI/CD infrastructure is compromised, potentially distributing malicious code through trusted security products.
Sources
- Living Off the Pipeline: Defending Against CI/CD Subversionhttps://www.sentinelone.com/blog/living-off-the-pipeline-defending-against-ci-cd-subversion/Verified
- GitLab CI/CD pipeline Vulnerability - 20241014001https://soc.cyber.wa.gov.au/advisories/20241014001-GitLab-CI-CD-Pipeline-Vulnerability/Verified
- Compromised Mistral AI and TanStack packages may have exposed GitHub, cloud and CI/CD credentials in 'mini Shai Hulud' malware infectionhttps://www.tomshardware.com/tech-industry/cyber-security/compromised-mistral-ai-and-tanstack-packages-may-have-exposed-github-cloud-and-ci-cd-credentials-in-mini-shai-hulud-malware-infection-supply-chain-campaign-spreads-across-npm-and-ai-developer-ecosystems-like-wildfireVerified
- Critical AWS supply chain vulnerability could have let hackers take over key GitHub repositorieshttps://www.techradar.com/pro/security/critical-aws-supply-chain-vulnerability-could-have-let-hackers-take-over-key-github-repositoriesVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been limited to the compromised server, reducing the potential for further exploitation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been constrained, reducing the risk of executing malicious configurations with elevated rights.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the CI/CD environment could have been restricted, reducing the risk of compromising additional systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels may have been detected and constrained, reducing the risk of remote execution.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data could have been constrained, reducing the risk of data loss.
The attacker's ability to compromise build artifacts may have been constrained, reducing the risk of supply chain attacks.
Impact at a Glance
Affected Business Functions
- Software Development
- Continuous Integration/Continuous Deployment (CI/CD)
- Source Code Management
- Release Management
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of source code repositories, build artifacts, and deployment credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access within the CI/CD environment, limiting lateral movement opportunities.
- • Enforce East-West Traffic Security to monitor and control internal communications, detecting unauthorized activities.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into CI/CD operations across cloud environments.
- • Apply Egress Security & Policy Enforcement to prevent unauthorized data exfiltration from the build pipeline.
- • Deploy Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious behaviors within the CI/CD infrastructure.
