ctipilot.ch

Home · Live brief · Weekly 2026-W20

SentinelOne — Living Off the Pipeline: CI/CD subversion taxonomy

notable annual-report discovered 2026-05-11 05:00 UTC single-source

Entities: SentinelOne

Part of run 2026-W20-71c96b25 (weekly · Claude Opus 4.7)

SentinelOne's "Living Off the Pipeline" research (covered daily 2026-05-16, [SINGLE-SOURCE]) presents a three-case taxonomy of CI/CD subversion in real intrusions: TeamCity buildAgent-token theft, GitLab service-account pivot, and Contagious Interview (DPRK-aligned) build-time compromise. The weekly-level synthesis worth surfacing: the three-case study generalises to a defender pattern — CI/CD systems concentrate trust (build secrets, artifact-signing keys, deployment credentials) in machine-identity environments with weaker authentication / authorisation telemetry than human-identity environments. Combined with the Sophos NHI finding (41% of identity breaches root-caused to NHI mismanagement, above), CI/CD platforms are the highest-leverage NHI-governance attack surface for Swiss / EU public-sector DevSecOps programmes. Hunt seeds: TeamCity buildAgent re-auth events, GitLab CI job impersonation patterns, GitHub Actions OIDC-token reuse outside expected workflow scope (daily 2026-05-16).

supply-chain identity global