Angel(dust) in the Cloud: TeamPCP shows the vulnerability of CI/CD systems

Amitai Cohen | Ben Read

While supply chain operations have been happening for decades, the last nine months have shown that combining these types of operations with the always-on and secret-rich environment of Continuous Integration/Continuous Deployment (CI/CD) pipelines can allow secret theft at a previously unseen scale. This vulnerability was spectacularly demonstrated by the TeamPCP campaigns in March and April when they were able to steal thousands of secrets that enabled deep access to dozens of companies.