CI/CD Pipeline Compromise: How Attackers Turn Your Build System Into a Persistent Backdoor Into Production
Your software supply chain is already inside your network perimeter. Every time a developer pushes a commit, your CI/CD pipeline authenticates to your cloud provider, pulls secrets from your vault, builds and signs artifacts, and pushes code directly to production all without a human approving a single step. Attackers figured this out in 2020 with SolarWinds, refined it through the Codecov breach in 2021, operationalized it at scale with the 3CX and XZ Utils compromises in 2023–2024, and in August 2025, UNC6395 used it to compromise Drift's GitHub account, steal OAuth tokens, and gain access to hundreds of organizations' Salesforce environments without ever touching a single victim's network directly. The attack surface is not a misconfiguration you can patch. It is the pipeline itself.