SentinelOne — Living Off the Pipeline: CI/CD subversion taxonomy

SentinelOne's "Living Off the Pipeline" research (covered daily 2026-05-16, [SINGLE-SOURCE]) presents a three-case taxonomy of CI/CD subversion in real intrusions: TeamCity buildAgent-token theft, GitLab service-account pivot, and Contagious Interview (DPRK-aligned) build-time compromise. The weekly-level synthesis worth surfacing: the three-case study generalises to a defender pattern — CI/CD systems concentrate trust (build secrets, artifact-signing keys, deployment credentials) in machine-identity environments with weaker authentication / authorisation telemetry than human-identity environments. Combined with the Sophos NHI finding (41% of identity breaches root-caused to NHI mismanagement, above), CI/CD platforms are the highest-leverage NHI-governance attack surface for Swiss / EU public-sector DevSecOps programmes. Hunt seeds: TeamCity buildAgent re-auth events, GitLab CI job impersonation patterns, GitHub Actions OIDC-token reuse outside expected workflow scope (daily 2026-05-16).