And I Would've Gotten Away With It, Too, If It Wasn't For You Meddling Researchers

Transcript

1. And I Would've Gotten Away With It, Too If It

   Wasn’t For You Meddling Researchers

2. Midnight, March 14th

3. Little did I know…

4. None

5. This talk could easily be about s1ngularity….

6. I don’t want to spend today recapping the incident …

7. But still - here’s a quick summary of tj-actions •

   November, 2024: a malicious pull request exploits a poisoned-pipeline execution flaw in spotbugs/sonar-findbugs to steal a PAT • December, 2024: that PAT allows the attacker to pivot to spotbugs/spotbugs and compromise an additional PAT • March 11, 2025: the compromise PAT is used to point reviewdog/action-setup@v1 temporarily to a malicious fork commit. tj-actions uses that action, leaking their PAT • March 14, 2025: the tj-actions PAT is used to first target Coinbase, then broadly poison tj-actions/changed-files

8. Instead, I want to talk about Rapid Response Research

9. 👋 Hi, I’m Rami • Cloud Risk Research Lead at

   Wiz • Previously: security things at Figma, Cedar, and NCC Group https://ramimac.me

10. Wiz Research https://wiz.io/research

11. Responding to emergent security news • Research & Analysis •

    Threat & Incident Response • Product & Development (by Monday morning)

12. Stories from along the way (chronologically)

13. March 15th - Community Slacks

14. Lesson 1: Always be archiving

15. March 17th - Twitter

16. Lesson 2: It’s not over until it’s over

17. March 17th - Security Slack

18. None

19. Lesson 3: Research is better with friends

20. Security is a team sport

21. Lesson 4: See Lesson 2

22. March 18th, 2025 - Google dorking

23. Digression: GitHub firehose • GHArchive: a project to record the

    public GitHub timeline, archive it, and make it easily accessible for further analysis • Available on BigQuery and Clickhouse

24. March 30th - Adnan Khan

25. Tracing Targeting

26. Responsible Disclosure

27. Tracing Targeting 8 days later

28. Lesson 5: Look everywhere

29. Excalidraw Magic

30. Lesson 6: An excalidraw is worth a thousand words

31. Lessons for Rapid Response Research 1. Security is a team

    sport: collaborate, share breadcrumbs, and pay attention to the ecosystem 2. Disclose responsibly, support open source maintainers 3. Seek alternative data sources, and archive your data 4. An excalidraw is worth a thousand words 5. Keep it fun! https://speakerdeck.com/ramimac

32. THANK YOU (and please go provide feedback!)