Poisoned Pipeline Execution

The most dangerous CI/CD vulnerability changes not a single line of application code. It changes the pipeline — and runs arbitrary code in the build with its privileges and secrets.

~8 min read · CI/CD

What PPE is

Poisoned Pipeline Execution (OWASP CICD-SEC-4) abuses write access to the source-control system so the CI pipeline runs malicious commands — with access to the secrets, artifacts and internal network of the build runner.

• D-PPE (Direct): the attacker changes the CI configuration directly (the workflow file).
• I-PPE (Indirect): they change files referenced by the CI — build scripts, tests, lint configs.

Megalodon: PPE at industrial scale

On May 18, 2026, the Megalodon campaign injected malicious workflow files into over 5,561 GitHub repos in a single 6-hour window — a textbook d-PPE that exploited repos with weak or missing branch protection. Crucially: the attacker never touched application code, only pipeline definitions — practically invisible to code reviewers.

The TanStack npm attack (May 11, 2026) showed related weaknesses: insecure pull_request_target, cache poisoning and token theft in GitHub Actions workflows.

The walkthrough

Here's how a PPE attack runs — and where PoisonZero severs it when an agent in the runner holds protected paths:

1 · SCM access

Branch protection missing

Fork PRs or weak rules allow write access to pipeline files.

2 · D-PPE

Pipeline file poisoned

Only the workflow/CI config is changed — app code stays untouched.

3 · Build

Runner executes

With the privileges and secrets of the job.

PoisonZero

PoisonZero evaluates writes to protected agent/config paths in the runner.

danger 0.95 → revert

✕ Prevented

Secrets exfil → backdoor

↳ Secrets/tokens grabbed from the job
↳ Backdoor into the signed artifact
↳ Lateral movement to further repos

Without protection PPE ends in secrets theft and poisoned artifacts. With PoisonZero writes into protected paths are evaluated and dangerous ones rolled back.

Why reviews miss it

Code reviewers look at business logic. A changed pipeline file slips through — and then runs with full privilege. It's exactly this "invisible" layer that makes PPE so effective.

Where PoisonZero steps in

More and more often AI agents run in the pipeline (see AI agents in the CI/CD pipeline). PoisonZero protects their memory/config and evaluates writes into protected paths fail-closed — related: Supply-chain worms.

Read next: Supply-chain worms · AI agents in the CI/CD pipeline · Why fail-closed wins

All articles