Grand Theft Actions Abusing Self Hosted GitHub Runners
Adnan Khan, John Stawinski
DEF CON 32 Main Stage · Day 1 · Main Stage
In "Grand Theft Actions," Adnan Khan and John Stawinski expose a pervasive and critical vulnerability within the GitHub Actions ecosystem: the insecure configuration of **self-hosted runners**. Their research highlights how a common misconfiguration—the use of non-ephemeral self-hosted runners on public repositories—creates a broad attack surface that can be exploited for widespread supply chain attacks. The speakers reveal that numerous prominent organizations and projects have, at some point, utilized these runners in a manner susceptible to compromise, demonstrating the severe implications for software supply chain security.
AI review
Khan and Stawinski's "Grand Theft Actions" is a critical deep dive into the pervasive and dangerous misconfiguration of non-ephemeral self-hosted GitHub Actions runners. Their research exposes a systemic flaw where public repositories, by accepting pull requests, can inadvertently grant persistent code execution on internal infrastructure, leading to widespread supply chain compromises. This isn't theoretical; they've demonstrated critical exploits against major entities, including GitHub's own infrastructure and Microsoft, providing essential, actionable intelligence for any organization…