CI/CD pipeline abuse: the problem no one is watching

This Elastic Security Labs report analyzes CI/CD pipeline abuse as a major and evolving attack surface where compromised developer credentials plus modified workflow files enable large-scale secret exfiltration, supply-chain manipulation, and remote code execution. It introduces cicd-abuse-detector, a cross-platform CI template that extracts 50+ regex signals from diffs and uses LLM-based analysis to produce structured verdicts, validates detections against real campaigns and offensive toolkits (e.g., Nord Stream, GhostAction, Shai-Hulud, ArtiPACKED), and provides concrete hardening guidance (pin actions to SHAs, scope secrets, avoid pull_request_target, short-lived tokens, persist-credentials:false).