For years, we wrote the defensive manuals. We built the “Living Off The Pipeline” (LOTP) inventory and released poutine to help you find the vulns. We even spoke at NorthSec about the theoretical risks of Build Pipeline compromise.
We have bad news: The Threat Actors were “in the room” taking notes.
In early 2025, we found the “smoking gun.” A Threat Actor on BreachForums laid out the full attack plan for a 0-day compromise of a major Open Source project, giving a direct shout-out to our poutine scanner and LOTP research as the source. Our defensive work has become their offensive playbook.
In this talk, we stop playing defense.
Introducing SmokedMeat: The “Metasploit for CI/CD.”
Our research team has a saying: 2025's Build Pipelines look like the average 2005 PHP Web App in terms of secure coding. They are wide open to “pwn requests” and command injections that lead to secrets exfiltration or privilege escalation via overprivileged tokens. SmokedMeat is the first Open Source Red Team framework designed to commoditize these compromises, demonstrating exactly what happens when a Threat Actor turns your infrastructure against you.
We will demonstrate a full exploitation chain: pivoting from unprivileged anonymous access on public repositories to private repository and intellectual property theft, the “gone in 60 seconds” jump from a workflow runner directly to permanent Cloud Admin, and the ability to escape ephemeral job contexts to implant permanent backdoors on your build infrastructure.
The era of “awareness” is over. This talk is a live demonstration of why your current CI/CD security strategy is already obsolete.
