Microsoft GitHub Repo Compromise: CI/CD Pipeline Attack and Defense

Introduction

In a significant supply chain security failure, GitHub was forced to disable 73 repositories across Microsoft's Azure, Microsoft, Azure-Samples, and MicrosoftDocs organizations. This action was taken after it was discovered that attackers had compromised the repositories to push password-stealing malicious software. This incident disrupts continuous integration (CI) pipelines and poses a severe risk to organizations relying on these repositories for infrastructure-as-code (IaC), samples, or documentation.

For defenders, this is a wake-up call. The threat is not just a malicious file; it is the subversion of trusted development infrastructure. If an attacker can push to a Microsoft org and trigger a build, they can poison the software supply chain of any downstream consumer. We must immediately assume that any build artifacts consumed from these repositories during the compromise window are suspect.

Technical Analysis

Affected Platforms & Products:

Platform: GitHub (SaaS)
Organizations: Azure, Microsoft, Azure-Samples, MicrosoftDocs
Pipeline Components: GitHub Actions, Azure DevOps pipelines (implied by Azure repos)

Threat Mechanics:

Initial Vector: While the specific vector (e.g., leaked PAT, compromised service account, social engineering) has not been fully detailed in the public summary, the result was unauthorized write access to high-trust repositories.
Attack Chain:
1. Compromise: Attackers obtain credentials/tokens with push access.
2. Injection: Malicious code (password stealer payloads) is committed to the repository.
3. Execution: Automated CI/CD pipelines trigger on the push.
4. Payload Delivery: The pipeline executes the malicious code, potentially exfiltrating credentials from the build runner or poisoning the build artifact distributed to users.
Malware: Password-stealing software (InfoStealers) designed to harvest credentials from the build environment or end-user machines consuming the artifacts.

Exploitation Status:

Active: Repositories have been disabled, indicating the attack was detected and is currently being mitigated. The "disrupting continuous integration pipelines" note confirms active abuse of automation infrastructure.

Detection & Response

Detecting a compromised CI/CD pipeline requires focusing on the behavior of the build runners and the version control system. Legitimate builds compile code and run tests; malicious builds often spawn unexpected shells, reach out to the internet for C2, or dump credentials.

Sigma Rules

The following Sigma rules target suspicious behavior from GitHub Actions runners and Git processes. Deploy these to your SIEM to catch similar supply chain attempts in your environment.

YAML

---
title: GitHub Actions Runner Spawning Encoded PowerShell
id: 8a4b2c1d-5e6f-4a3b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects GitHub Actions Runner processes spawning PowerShell with encoded commands, a common technique to obfuscate malware delivery in CI/CD attacks.
references:
  - https://attack.mitre.org/techniques/T1059/001
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.001
  - attack.supply_chain
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\Runner.Worker.exe'
      - '\Runner.Listener.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains:
      - '-EncodedCommand'
      - '-Enc'
      - 'FromBase64String'
  condition: selection
falsepositives:
  - Legitimate build scripts using encoded parameters (rare)
level: high
---
title: Git Process Connecting to Non-GitHub Endpoint
id: 9c5d3e2f-6a7b-4c5d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects git.exe or GitHub Runner processes initiating network connections to external endpoints other than GitHub, potentially indicating C2 beaconing or data exfiltration.
references:
  - https://attack.mitre.org/techniques/T1071/001
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Initiated: 'true'
    Image|endswith:
      - '\git.exe'
      - '\git-remote-http.exe'
      - '\Runner.Worker.exe'
  filter_legit_github:
    DestinationHostname|endswith:
      - 'github.com'
      - 'githubusercontent.com'
      - 'azdo azure.com' # Internal Microsoft/Azure DevOps
  condition: selection and not filter_legit_github
falsepositives:
  - Legitimate custom git remotes or package manager feeds
level: medium

KQL (Microsoft Sentinel / Defender)

Use this KQL query to hunt for suspicious process execution patterns associated with your build agents.

KQL — Microsoft Sentinel / Defender

// Hunt for suspicious parent-child process relationships in CI/CD
DeviceProcessEvents
| where Timestamp > ago(1d)
| where InitiatingProcessFileName in~ ("Runner.Worker.exe", "Runner.Listener.exe", "git.exe", "bash", "sh")
| where ProcessCommandLine contains any ("curl", "wget", "powershell", "pwsh", "cmd", "python")
| where ProcessCommandLine contains any ("-EncodedCommand", "base64", "http://", "ftp://")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessFileName, ProcessCommandLine, InitiatingProcessCommandLine
| extend MD5 = hash(SHA256, tostring(ProcessCommandLine)) // Dedup similar commands

Velociraptor VQL

This VQL artifact hunts for processes running from standard GitHub Runner directories that are exhibiting behavior typical of post-exploitation tools.

VQL — Velociraptor

-- Hunt for suspicious processes spawned by GitHub Actions Runners
SELECT Pid, Name, Exe, CommandLine, Parent.Pid AS ParentPid, Parent.Name AS ParentName, Username
FROM pslist()
WHERE Parent.Name =~ "Runner.Worker" 
   OR Parent.Name =~ "Runner.Listener"
   // Flag common interpreter execution often abused in pipelines
   AND Name IN ("powershell.exe", "cmd.exe", "python.exe", "python3.exe", "bash", "sh")
   // Look for suspicious arguments like encoded commands or network activity flags
   AND (CommandLine =~ "-Enc" OR CommandLine =~ "curl" OR CommandLine =~ "wget" OR CommandLine =~ "socket")

Remediation Script (PowerShell)

Run this script on your build agents or workstations to audit recent Git activity and check for indicators of compromise related to the specific organizations mentioned in the alert.

PowerShell

# Audit Script: Check for recent interactions with targeted Microsoft Orgs
Write-Host "[+] Auditing recent Git activity for potential supply chain exposure..."

# Define targeted organizations from the threat intel
$TargetOrgs = @("Azure", "Microsoft", "Azure-Samples", "MicrosoftDocs")

# Check common Git config locations for remotes
$GitConfigPaths = @(
    "$env:USERPROFILE\.gitconfig",
    (Get-ChildItem -Path "$env:USERPROFILE\source\repos" -Recurse -Filter "config" -ErrorAction SilentlyContinue -Depth 3).FullName
)

$FoundSuspectRepos = $false

foreach ($Path in $GitConfigPaths) {
    if (Test-Path $Path) {
        $Content = Get-Content $Path -Raw -ErrorAction SilentlyContinue
        if ($Content -match "url\s*=\s*.*github.com[:/](.*)") {
            $RepoPath = $Matches[1]
            foreach ($Org in $TargetOrgs) {
                if ($RepoPath -like "$Org*" -or $RepoPath -like "*$Org*") {
                    Write-Host "[!] SUSPICIOUS REPO FOUND: $Path" -ForegroundColor Red
                    Write-Host "    - Remote: $RepoPath" -ForegroundColor Yellow
                    $FoundSuspectRepos = $true
                }
            }
        }
    }
}

if (-not $FoundSuspectRepos) {
    Write-Host "[+] No remotes matching targeted organizations found in standard locations." -ForegroundColor Green
} else {
    Write-Host "[CRITICAL] Immediate review of the identified repositories is required. Verify commit history for unauthorized pushes." -ForegroundColor Red
}

# Check for running GitHub Runner processes
$RunnerProcesses = Get-Process | Where-Object { $_.ProcessName -like "*Runner*" -and $_.Company -like "GitHub*" }
if ($RunnerProcesses) {
    Write-Host "[+] Active GitHub Runner processes detected. Review running jobs for anomalies." -ForegroundColor Cyan
}

Remediation

Immediate action is required to secure the supply chain and prevent recurrence of this attack vector within your own organization.

Credential Hygiene:
- Rotate Secrets: Immediately rotate all Personal Access Tokens (PATs), SSH keys, and OAuth tokens used for interacting with GitHub.
- Review Permissions: Audit the "Manage Access" settings for your repositories. Ensure that write access is restricted to a minimal number of users and that MFA is enforced for all administrators.
Repository Hardening:
- Branch Protection Rules: Enforce "Require pull request reviews before merging" on all main branches. This prevents direct pushes of malicious code.
- Status Checks: Configure required status checks to ensure CI/CD pipelines must pass successfully before merging.
- Signed Commits: Enforce commit signing. Verify that commits are signed by trusted keys.
Pipeline Security:
- Least Privilege: Run GitHub Actions with the minimum permissions required (permissions: contents: read instead of write-all).
- Pin Actions: Do not use mutable action references like uses: actions/checkout@v2. Pin to a full SHA: uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675.
- Vendor Advisory: Monitor the official GitHub Security Advisories and Microsoft Security Response Center (MSRC) blog for specific IoCs related to the 73 disabled repositories.
Incident Response:
- Audit build logs for the past 30-90 days for any executed workflows in the affected organizations.
- If your infrastructure consumed artifacts from these repos, treat the artifacts as compromised and redeploy from known-good versions.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub