The “GlassWorm” AttackAudit Your CI/CD for the “Invisible Code” That Exfiltrates Source

By CyberDudeBivash · AppSec, Supply-Chain & DFIR · Apps & Services · Playbooks · ThreatWire · Crypto Security

CyberDudeBivash®

TL;DR 

• “GlassWorm” is our label for a stealthy CI/CD exfiltration technique: invisible steps and shadow jobs siphon your code, secrets, or artifacts under the cover of legitimate builds.
• Attackers don’t “pop” prod; they borrow your pipeline—abusing runner privileges, repo webhooks, Git hooks, build wrappers, or dependency scripts.
• This playbook is defense-only: fast scoping, targeted hunts for rogue jobs/steps, runner hardening, egress controls, provenance (SLSA/in-toto), and KPIs your board will understand.

Edureka
DevSecOps & supply-chain courses—team-ready.Alibaba Cloud
Immutable artifact storage & cross-region DR.Kaspersky
Cut commodity noise so stealthy CI leaks stand out.AliExpress
Lab essentials: HSMs, FIDO keys, SSDs, analyzers.

Disclosure: We may earn commissions from partner links. Handpicked by CyberDudeBivash.Table of Contents

1. Threat Model: “Invisible Code” in CI/CD
2. 90-Minute QuickCheck (Blast Radius)
3. Hunts: GitHub, GitLab & Azure DevOps
4. Runner Hardening & Egress Control
5. Provenance: SLSA, in-toto, Sigstore
6. Executive KPIs & Dashboards
7. Comms, Evidence & Recovery
8. FAQ

Threat Model: “Invisible Code” in CI/CD

“Invisible code” is build logic you don’t normally review: orphaned YAML includes, auto-merged pipeline templates, post-gen scripts, package lifecycle hooks (postinstall, prepare), Git hooks, wrapper scripts, and runner bootstrap files. “GlassWorm” abuses these to

• read your repo and dependencies,
• exfil artifacts/secrets to attacker infra,
• mint or reuse CI OIDC tokens to reach cloud registries,
• and persist via schedules, environment-scoped rules, or shadow runners.

Defense-only: we focus on finding rogue paths and removing the blast radius—not on how to create them.

90-Minute QuickCheck (Blast Radius)

1. Inventory pipelines: list repositories with CI enabled; capture default branches, pipeline templates/includes, and schedules.
2. Diff the last 30 days: pipeline YAML changes, new includes, new secrets/variables, and new or modified runners.
3. Egress pulse: top destinations contacted by runners (by ASN and domain) in last 7–14 days; flag any new SaaS or pastebins.
4. Artifact access: enumerate who/what downloaded build artifacts and SBOMs; flag anonymous or cross-project pulls.
5. Token scope: list CI tokens and cloud roles reachable via OIDC; highlight write scopes and long-lived keys.

Hunts: GitHub, GitLab & Azure DevOps

1) GitHub Actions — “Rogue Step & Shadow Workflow” Hunt

• Where to look: .github/workflows/*.yml, workflow_call includes, organization-level reusable workflows, and branch protection bypasses.
• Signals: new curl/wget/Invoke-WebRequest to unknown hosts; actions/checkout with fetch-depth=0 on private monorepos; oidc-token requests to unexpected audiences; artifact uploads with wildcards.

# GitHub Audit Log (concept via API/Export)
# Filter: actor=actions, action=repo.download, repo.artifact.download, secret_scanning_alert.created, workflow_job.run
# Flag: New workflow files on default branch; workflows triggered by "repository_dispatch" from unknown apps
  

2) GitLab CI — “Invisible Include & Runner Abuse” Hunt

• Where to look: .gitlab-ci.yml + include: (remote/project/file); instance/group runners; protected variables; schedules.
• Signals: includes from external URLs; jobs with when: delayed or odd schedules; before_script with outbound transfers; runners with shell executor and broad network egress.

# GitLab Audit Events (concept)
# Look for: integration/runner created, variables created, pipeline schedule created, project hook created
# Cross-check: runner registration tokens used; new shared runners attached to sensitive projects
  

3) Azure DevOps — “Service Connection & Pipeline Library” Hunt

• Where to look: Service connections (ARM, AWS, GCP), variable groups, YAML templates, classic release pipelines.
• Signals: service connections gaining Owner/Contributor; pipelines referencing external templates; script tasks with outbound uploads.

# ADO Audit Stream (concept)
# Filter: ServiceConnectionModified, VariableGroupModified, BuildQueue, ReleaseStart
# Alert: non-human principals adding permissions; pipelines run on weekends/night with unusual durations
  

4) Shared Hunts — Git Hooks, Package Scripts & Build Wrappers

• Git hooks: detect .git/hooks in source or bootstrapped by build images; forbid executing hooks in CI unless signed/attested.
• Package lifecycle: NPM/Yarn prepare/postinstall, Python setup.py/pyproject hooks, Golang go:generate—alert on network from these phases.
• Wrappers: shells that wrap compilers or test runners; diff for new trap or alias logic.

Runner Hardening & Egress Control

Principles that make “GlassWorm” noisy

• Ephemeral runners only for sensitive repos (one-job VMs/containers; destroy on completion).
• Egress allowlists for build subnets; block arbitrary internet; force traffic through a proxy with TLS inspection where policy allows.
• Token hygiene: short-lived OIDC with audience binding; no long-lived PATs; minimal scopes for package registries and cloud.
• Secrets control: no secrets for pull-requests from forks; environment-scoped secrets; masked variables; detect secrets in logs/artifacts.
• Filesystem isolation: mount work dirs read-only where possible; forbid docker-in-docker unless needed; separate credentials from workspace.

Concrete guardrails (defense-only, conceptual snippets)

# GitHub Actions: harden permissions (default deny)
permissions:
  contents: read
  id-token: write   # only if OIDC is intended
  packages: read
# Disallow unpinned actions; require SHA pinning via org policy

# GitLab Runner: network policies (concept)
# Egress from runner namespace limited to: registry, mirrors, package repos; block *.binpaste.* etc.

# Azure DevOps: service connection
# Use workload identity federation (OIDC); restrict to per-env subscriptions; no Owner role; rotate certs frequently.
  

Provenance: SLSA, in-toto & Sigstore

• SLSA levels: target SLSA 3+ for critical builds (ephemeral isolated runners, hermetic builds where feasible).
• in-toto attestations: record who built what, when, and with which materials; store alongside artifacts.
• Sigstore (cosign/rekor): sign artifacts and SBOMs with keyless OIDC; verify at deploy; block unverified artifacts.
• SBOM gates: generate CycloneDX/SPDX on CI; diff at PR; fail on unknown high-risk components.

# Concept: verify provenance at deploy
cosign verify-attestation --type slsaprovenance --certificate-oidc-issuer  
# Block deploy if verification fails; log reason to SIEM.
  

Executive KPIs & Dashboards (Prove Control)

• Exposure: % critical repos on ephemeral runners; % workflows pinned by SHA; number of external includes.
• Secrets: median secret age; count of long-lived tokens (target: 0); secrets found in logs/artifacts (target: 0).
• Egress: new destinations contacted by runners (weekly); % builds behind proxy; RPZ blocks triggered.
• Provenance: % releases with valid in-toto/Sigstore attestation; deploy blocks due to failed verification.
• IR: mean time to revoke CI tokens; time to detach rogue runners; evidence completeness (audit + artifact hashes).

If you can’t measure it from logs or provenance, prioritize telemetry first—not another tool.

Comms, Evidence & Recovery

1. Evidence pack: audit exports (pipeline changes, runner events, service connections), artifact hash lists, egress destinations, token inventories.
2. Containment: detach/disable shared runners; rotate PATs and service-connection creds; revoke OIDC trust for affected repos; block new egress.
3. Recovery: rebuild golden base images; re-enroll runners; enforce org-wide policies (SHA pinning, required reviews, secret-from-forks=false).
4. Stakeholder brief: what left the environment (code/secrets), when, how long exposure lasted, and what controls you shipped.

Secure remote IR with TurboVPN (teams) →

Need Expert Help? Engage CyberDudeBivash Supply-Chain Defense

• CI/CD posture review & ephemeral runner rollout
• Org policies (SHA pinning, secret governance, fork hygiene)
• Provenance program (SLSA, in-toto, Sigstore, SBOM gates)
• SIEM detections & SOAR runbooks for CI incidents

Explore Apps & Services  |  cyberdudebivash.com · cyberbivash.blogspot.com · cyberdudebivash-news.blogspot.com · cryptobivash.code.blog

Next Reads from CyberDudeBivash

• Your CI/CD Pipeline is at Risk — Critical GitLab DoS Patch Playbook
• The CISO’s OAuth IR Playbook (Step-by-Step)
• ThreatWire: Supply-Chain & Build-System Intrusions

FAQ

Is “GlassWorm” a known CVE?

No—it’s a scenario label for stealthy CI/CD exfil via invisible build logic. This article is defense-only.

Will ephemeral runners and egress allowlists break productivity?

Use tiered policies: strict for crown-jewel repos, looser for low-risk projects. Measure impact via build time and failure rates.

Do we need artifact signing and provenance for everything?

Start with release and base-image pipelines. Expand coverage as you mature. Block deploys missing attestations.

Fastest wins this week?

Turn off secrets for forks, rotate long-lived tokens, pin actions by SHA, enforce ephemeral runners on sensitive repos, and proxy runner egress.

CyberDudeBivash — Global Cybersecurity Brand · cyberdudebivash.com · cyberbivash.blogspot.com · cyberdudebivash-news.blogspot.com · cryptobivash.code.blog

Author: CyberDudeBivash · Powered by CyberDudeBivash · © All Rights Reserved.

 #CyberDudeBivash #CICD #SupplyChain #SLSA #in_toto #Sigstore #GitHubActions #GitLabCI #AzureDevOps #IncidentResponse