logo

CNCF Project Antrea Compromised in Daring GitHub Attack

ID: a26e119a-7850-5a3e-8cfb-9a968f62ec4b

STIX ID: report--a26e119a-7850-5a3e-8cfb-9a968f62ec4b

Feed Name: OpenSourceMalware Blog

Threat Score
75/100

Date Published: 2026-05-05

Date Updated: 2026-06-20

Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2

...
...

On May 2, 2026 an unknown actor (GitHub account 0xedgerunner) launched a malicious pull-request campaign against the CNCF Antrea project that used forked-PR triggered Jenkins jobs to execute payloads (Python deserialization and shell scripts) which probed the Jenkins controller, attempted to harvest IMDSv2 AWS credentials and local secrets, and exfiltrated data via paste.rs and webhook.site; the PR was closed after maintainers detected the activity, the report documents IOCs and recommends SHA-pinning actions and requiring maintainer approval for slash-command CI triggers.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.