Supply-chain worms
Modern supply-chain malware doesn't wait — it propagates itself: from one compromised package to the next, across CI runners, with stolen tokens as fuel.
Worms that learn
Shai-Hulud surfaced in September and came back two months later as "The Second Coming": at least 294,842 secrets exposed, 3,760 valid credentials — and 20% of the compromised machines were GitHub runners.
Miasma compromised @redhat-cloud-services npm packages with a credential-stealing, self-propagating worm.
Runner compromise → lateral movement
- After gaining access to a CI runner, attackers clone the reachable repos.
- They modify build artifacts before they're signed and pushed to registries.
- Persistence via self-hosted runner configs — the runner stays compromised.
Secrets exfiltration
- Directly into GitHub repos created by the attacker with stolen tokens.
- Over a DNS covert channel or HTTPS POST with custom headers.
- Theft from local
.envfiles and AWS/Azure config directories; IAM role abuse to enumerate secrets not on disk.
The link to agent memory
Worms need persistence. Agent memory, skills and config are a perfect, inconspicuous place for it — they survive reboots and pipeline runs and are re-read at every start.
Where PoisonZero steps in
PoisonZero evaluates writes into the protected agent paths. A worm trying to drop persistence there is stopped fail-closed and logged. More: Poisoned Pipeline Execution and AI agents in the CI/CD pipeline.
Break the worms' persistence.
PoisonZero stops poisoned writes into agent memory and config — fail-closed, with audit.
Try 14 days freeRead next: Poisoned Pipeline Execution · ClawHavoc: 1,184 poisoned skills · AI agents in the CI/CD pipeline