New Wave of Supply Chain Attacks Targets CI/CD Infrastructure – Experts Warn
Attackers are shifting from dependency poisoning to compromising CI/CD infrastructure, using build servers and runners to deploy malware that blends with legitimate workflows, experts warn.
Breaking: Attackers Turn to Build Servers and CI/CD Runners to Infiltrate Software Supply Chains
Cybersecurity researchers have identified a alarming shift in supply chain attacks: adversaries are increasingly targeting the trusted infrastructure that powers software delivery—build servers, CI/CD runners, and developer workstations. These systems, designed to execute code automatically with elevated privileges, are now being weaponized to bypass traditional security controls, according to a new report released today.
“Instead of poisoning open-source packages or hijacking repositories, attackers are compromising the very systems that organizations trust to build and deploy software,” said Dr. Elena Martinez, lead threat analyst at CyberDefense Labs. “Once inside, malicious activities blend seamlessly with legitimate workflows, making detection extremely difficult.”
How the Attacks Work
In one documented case, attackers exploited a self-hosted TeamCity server and remained undetected for over a year. They created a seemingly benign build configuration that, when executed by a trusted build agent with SYSTEM privileges, deployed a backdoor into internal networks. The malicious code appeared indistinguishable from normal operational activity—no suspicious binaries, no obvious malware delivery.
“This kind of attack points to a core challenge: In CI/CD environments, malicious behavior often looks exactly like expected behavior,” added Martinez. The report also details incidents where GitLab service account tokens were stolen to create malicious projects, turning the organization's own automation tools against it.
Background
The software supply chain has long been a target for adversaries, but attacks in 2025 have shifted focus from dependency poisoning to infrastructure subversion. Build servers, CI/CD runners, and package managers sit inside the trusted delivery path and routinely execute privileged actions—compiling code, pulling dependencies, moving artifacts, and deploying software. These same design principles make them ideal attack surfaces.
Threat actors are adopting “shift-left” tactics, compromising systems before code ever reaches production. By abusing automation itself, they can scale attacks faster and evade detection more easily than traditional perimeter-based breaches.
What This Means
For security teams, this trend demands a fundamental rethinking of defenses. Traditional endpoint protection and network monitoring are insufficient because the malicious activity originates from trusted infrastructure. Organizations must implement strict access controls for CI/CD pipelines, monitor build agent behavior for anomalies, and treat automation tools as high-value assets.
“Your CI/CD pipeline is now a primary attack vector,” warned Dr. Martinez. “Securing it should be as critical as securing your production servers. If you trust automation blindly, you’re handing attackers the keys to your kingdom.”