Living Off the Pipeline: From Supply Chain 0-Days to Predicting the next XZ-like attacks
François Proulx
NorthSec 2025 · Day 1 · Ville-Marie
François Proulx, VP of Security Research at Montreal-based BoostSecurity, presents a systematic taxonomy of CI/CD attack vectors, a live walk-through of vulnerable GitHub Actions workflow patterns, and the architecture of two internal tools — Package Supply V3 and Package Threat Hunter — that have already caught real compromises in production. The talk extends last year's NorthSec presentation to include an adapted MITRE ATT&CK framework for CI/CD environments and introduces the concept of "living off the pipeline": abusing legitimate build tools as the attack vehicle rather than introducing foreign malware. ---
AI review
François Proulx (BoostSecurity) presents original CI/CD pipeline security research grounded in a production scanning system (Package Supply V3) covering 10,000+ high-confidence findings across government, university, and corporate entities. Introduces a CI/CD-adapted MITRE ATT&CK framework, live walk-through of pull_request_target exploitation, stale-branch vulnerability resurrection via Poutine, and the Package Threat Hunter — a near-real-time GitHub event ingestion system that reconstructed the Kon ingress controller compromise forensics before the public knew it happened.