Living Off the Pipeline: Defending Against CI/CD Subversion

The report outlines an increase in targeted attacks against software delivery pipelines in 2025, detailing how adversaries subvert CI/CD infrastructure—compromising build servers, registering rogue runners, poisoning dependencies, abusing service accounts, and tricking developers—to gain persistent, trusted access and distribute malicious artifacts through legitimate automation workflows. It emphasizes that these tactics make malicious activity blend with normal build behavior, undermining traditional detection, and calls for continuous verification of runners, dependencies, secrets, and pipeline actions.