How threat actors are using self-hosted GitHub Actions runners as backdoors

Executive summary: The report analyzes the Shai-Hulud worm campaign that trojanized npm packages to compromise developer hosts, register and install rogue self-hosted GitHub Actions runners, and abuse vulnerable workflow triggers (notably repository discussions) as a command-and-control channel. It outlines the four-stage attack (repo creation, runner registration token acquisition, runner installation/execution, and deployment of a vulnerable workflow), identifies reliable indicators such as RUNNER_TRACKING_ID=0, hidden runner directories and suspicious runner names, and provides detection and mitigation guidance for monitoring, restricting, and hardening runner usage.