Asi Greenholts
@TupleType
Concentrated AppSec juice • Security Researcher @PaloAltoNtwks
You might like
🚨 We know the real target behind the attack on tj-actions/changed-files! Coinbase! The first publicly known exploitation of the technique I presented at DEFCON 31: The GitHub Action Worm. Read the full story: unit42.paloaltonetworks.com/github-actions… By @omer_gil @yaronavital @_0xffd and I
New research our team released today, showing how we could push code to highly popular open source projects maintained by Google, AWS, Microsoft, & Red Hat, through a race condition in GitHub Actions. Go hunt critical #bugbounty issues ;) by @yaronavital unit42.paloaltonetworks.com/github-repo-ar…
This Saturday I will be speaking at #DefCon32 about OIDC misconfigurations and abuses in the context of CI/CD 🥴👹. Come check it out! info.defcon.org/event/?id=54867 @PaloAltoNtwks #OIDC #oauth2 #ci #cd
Two great talks delivered in Vegas this year by our team - again! In this year’s hacker summer camp in LV, our Research team will stand on the @defcon & @BSidesLV stages again, to share two novel research projects we’ve been working on recently: #HackerSummerCamp #defcon32
Thank you @HoffmanYaniv for inviting me to discuss about CI/CD security and my "Awesome CI/CD Attacks" project. We explored challenges, solutions, and key insights in this critical area of cybersecurity. youtube.com/watch?v=FiTERo…
youtube.com
YouTube
How Hackers Exploit CI/CD Pipelines to Bypass Your Security
Right now on stage @TupleType with “The GitHub Actions Worm: Compromising GitHub repositories through the actions dependency tree”! Join live: youtube.com/live/tlBnIA9FQ…
📚 tl;dr sec 234 🗡️ Awesome CI/CD Attacks @TupleType 🤖 STRIDE GPT ☁️ Non Production AWS Attack Surface @Frichette_n 🛡️ Secure defaults @ramimacisabird 🛠️ WAF bypass tool @infosec_au 💻 Hacking millions of routers @samwcyo tldrsec.com/p/tldr-sec-234
I'll be speaking at @BsidesTLV !!! Join my session about a novel supply chain attack technique abusing @github Actions intended behavior to spread a worm 🪱. bsidestlv.com/agenda/the_git…
What do you think is an important routine for a Security Researcher? I think it is reading Cyber news daily. Here are the most unique and high quality resources I've found about CI/CD attacks in the past 3 years: github.com/TupleType-1/aw… Thanks @omer_gil for the review!
Use CVE-2024-27198 to freely access internal TeamCity instances, create admin access tokens, and steal secrets and configurations - even if the server is not exposed to the internet. How? 🧵 #1/10
Hi @BlackHatEvents - I was shocked to discover that one of your Cyber Security Trainer and Review Board Members is also an antisemitic, a terror supporter who publicly denies Hamas Terror acts. Please remove @Voulnet from his role immediately!
How a worm 🪱 can be used to compromise @github repositories at scale through the Actions dependency tree🌲? The blog details a public disclosure out of many reported to #bugbounty programs This was first reveled at @defcon 31 and @BSidesLV paloaltonetworks.com/blog/prisma-cl…
The GitHub Actions Worm: Compromising GtHub repositories through the actions dependency tree! 🕜 Sat 1:30 pm PT, Track 3 at @defcon 📺 Watch live here: twitch.tv/defcon_dctv_th…
Highly inspired by our @owasp Top 10 CI/CD Security Risks project, cool:)
Keep malicious actors out of your pipeline! Follow the NSA and CISA recommended guidance to defend against CI/CD pipeline compromise. nsa.gov/Press-Room/Pre…
My submission got accepted to @BSidesLV!! Join me at the underground track 🤫 where I'll talk about: The GitHub Actions Worm: Compromising GitHub repositories through the action dependency tree 🌳
My @defcon submission is accepted! Come see my talk 😄 The GitHub Actions Worm: Compromising GitHub repositories through the action dependency tree #defcon31
If you're going to @RSAConference this year and you want to see a new attack method, come see @omer_gil and myself talk about: Abuse of Repository Webhooks to Access Hundreds of Internal CI systems. rsaconference.com/usa/agenda/ses…
Check out my new blog "How to secure your Open Source Project – A quick guide for developers" with examples for @github 🥳 cidersecurity.io/blog/research/…
🔥 The CI/CD Goat 🐐 just got wilder 🔥 Beat our new challenge and win a Gaming Keyboard!!! Thanks to @yaronavital and @omer_gil for co-writing the challenge! github.com/cider-security…
United States Trends
- 1. $BNKK 1,010 posts
- 2. Pond 208K posts
- 3. #MondayMotivation 38.6K posts
- 4. Happy 250th 6,403 posts
- 5. Go Birds 4,619 posts
- 6. $LMT $450.50 Lockheed F-35 1,109 posts
- 7. Semper Fi 5,987 posts
- 8. Good Monday 43.6K posts
- 9. $SENS $0.70 Senseonics CGM 1,126 posts
- 10. $APDN $0.20 Applied DNA 1,101 posts
- 11. Obamacare 218K posts
- 12. Victory Monday 2,262 posts
- 13. Rudy Giuliani 28K posts
- 14. Edmund Fitzgerald 5,196 posts
- 15. #MondayVibes 3,008 posts
- 16. Talus Labs 26.9K posts
- 17. #SoloLaUniónNosHaráLibres 2,054 posts
- 18. Kim Davis N/A
- 19. #USMC 1,053 posts
- 20. #IDontWantToOverreactBUT N/A
You might like
-
Omer Gil
@omer_gil -
Tomer Zait
@realgam3 -
Chris Romeo
@edgeroute -
BSides Tampa IT Security Conference
@BSidesTampa -
Jason Trost
@jason_trost -
bsky.affine.group
@hellman1908 -
Anton
@Antonlovesdnb -
Jaroslav Lobačevski 🇱🇹🇺🇦[email protected]
@yarlob -
Karim El-Melhaoui
@karimscloud -
David Ben David
@Davidsodavid -
Daghan Altas
@DaghanAltas -
bfuzzy
@bfuzzy1
Something went wrong.
Something went wrong.