Case Study: Flank detects a CI/CD supply chain attack in real time with StepSecurity Harden-Runner

StepSecurity Detects CI/CD Supply Chain Attack in Google’s Open-Source Project Flank in Real-Time

The customer, Google's open-source project Flank, faced a critical challenge when a security researcher exploited a vulnerable GitHub Actions workflow. This vulnerability allowed the execution of untrusted code with elevated permissions, creating a direct path for a supply chain attack where a malicious actor could have tampered with software releases. The project was using StepSecurity Harden-Runner, which was operating in audit mode to monitor the workflow.

StepSecurity’s Harden-Runner solution detected the attack in real-time by establishing a baseline of normal network egress traffic for the job. When the exploit made an anomalous outbound call to a new endpoint, StepSecurity flagged it, alerting to the potential compromise. This successful detection by StepSecurity prevented what could have escalated into a major software supply chain attack, similar to the XZ Utils incident, thereby safeguarding the integrity of the Flank project and its users.

Flank

Adnan Khan

Independent Security Researcher