Abstract: Software supply chain attacks have become a significant threat to modern software systems. By exploiting the complex and transitive nature of dependencies, malicious actors have been able to perform significant attacks, also taking advantage of the dynamic relationship between software components and their dependencies. In Continuous Integration and Continuous Deployment (CI/CD) ecosystems such as GitHub Actions, developers assemble workflows out of reusable Actions. However, these Actions–in particular JavaScript ones–come with an intricate network of dependencies. As they evolve, these dependency networks expose GitHub CI/CD pipelines to subtle vulnerabilities that may be introduced without any modification of the workflows themselves. This paper investigates such phenomenon, which we call "rug pull" within GitHub workflows.

Chair: Alessandro Giagnorio