CNCF Project Antrea Compromised in Daring GitHub Attack
ID: a26e119a-7850-5a3e-8cfb-9a968f62ec4b
STIX ID: report--a26e119a-7850-5a3e-8cfb-9a968f62ec4b
Feed Name: OpenSourceMalware Blog
Date Published: 2026-05-05
Date Updated: 2026-06-20
Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2
On May 2, 2026 an unknown actor (GitHub account 0xedgerunner) launched a malicious pull-request campaign against the CNCF Antrea project that used forked-PR triggered Jenkins jobs to execute payloads (Python deserialization and shell scripts) which probed the Jenkins controller, attempted to harvest IMDSv2 AWS credentials and local secrets, and exfiltrated data via paste.rs and webhook.site; the PR was closed after maintainers detected the activity, the report documents IOCs and recommends SHA-pinning actions and requiring maintainer approval for slash-command CI triggers.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
