How threat actors are using self-hosted GitHub Actions runners as backdoors

This report analyzes the Shai-Hulud worm campaign that compromises developer hosts and installs rogue self-hosted GitHub Actions runners as persistent backdoors. The attacker creates lightweight repositories, obtains runner registration tokens, installs and runs the official runner (often with RUNNER_ALLOW_RUNASROOT=1 and persistent svc configuration), and uploads a vulnerable workflow (e.g., unsanitized discussion interpolation and RUNNER_TRACKING_ID=0) to use GitHub Discussions as a C2 channel. The paper outlines detection indicators (RUNNER_TRACKING_ID=0, runner name SHA1HULUD, hidden install paths), recommended detection rules, and mitigations such as avoiding self-hosted runners on public repos, using ephemeral runners, restricting runner network access, and auditing runner inventories.