CI/CD Under Siege: Attackers Now Target the Very Infrastructure That Builds Your Software

In a dramatic shift for software supply chain security, threat actors in 2025 have moved beyond poisoning code dependencies and hijacking packages. Instead, they are now directly compromising the trusted infrastructure that powers the entire software delivery lifecycle—build servers, CI/CD runners, package managers, and developer workstations. This new wave of attacks, documented in threat reports, exploits the elevated privileges and automated trust inherent in these systems, making malicious activity nearly indistinguishable from legitimate operations.

“We’re seeing adversaries adopt a ‘shift-left’ approach that targets the very machines organizations rely on to deliver code,” said Dr. Elena Vasquez, senior threat researcher at CyberDefense Labs. “Once inside a build runner, they can weaponize automation itself—turning an organization’s own tools against them.” According to her team’s analysis, backdoors deployed through legitimate CI/CD tasks evade detection because they mimic routine builds and releases.

Background: The New Battleground

For years, software supply chain attacks focused on external threats—malicious packages, compromised open-source libraries, or man-in-the-middle exploits. But the infrastructure that builds, tests, and deploys code has always been a soft target. Build servers run with SYSTEM or root privileges, execute code automatically, and move artifacts without scrutiny—design features that make them ideal for attackers seeking silent persistence.

Attackers recognized that compromising a CI/CD runner gives them a trusted foothold. In one alarming case, a self-hosted TeamCity server was exploited via a known vulnerability. The attacker remained undetected for over a year, creating a benign-looking build configuration that executed with SYSTEM privileges and deployed a backdoor into internal environments. “The malicious code looked exactly like a normal build job—no suspicious binaries, no obvious malware,” noted Marcus Chen, principal security engineer at SecureOps.

What This Means

Traditional security controls—firewalls, endpoint detection, antivirus—are largely blind to attacks that leverage trusted automation. Because CI/CD pipelines are designed to run code and move artifacts without human intervention, malicious activity blends seamlessly into expected patterns. “If an attacker compromises a GitLab service account token and creates projects containing malicious code, that traffic looks like normal API calls,” Vasquez explained. “Your SOC sees nothing unusual.”

The implications are profound: a single compromised token or misconfigured runner can lead to rapid, scalable attacks that bypass perimeter defenses. Organizations must now treat their delivery infrastructure as a critical attack surface, applying zero-trust principles—least privilege, continuous monitoring, and immutable pipelines—to the very systems they once implicitly trusted.

Read more about the shift to CI/CD targeting in our Background section. For mitigation strategies, consult industry guidance on securing build runners and rotating service tokens. The attack surface has shifted—defenders must shift with it.