---
title: "SmokedMeat: A Red Team Tool to Hack Your Pipelines First"
tldr: "In March 2026, TeamPCP unleashed mayhem on the software supply chain: compromising Trivy, LiteLLM, KICS, Telnyx, and dozens of npm packages, proving that CI/CD pipelines are the softest target. Today we're open-sourcing SmokedMeat, the first red team framework for build pipelines (i.e. CI/CD), so defenders can finally see the full kill chain for themselves."
author: François Proulx
date: 2026-04-15
category: tools
featured: true
tags:
  - smokedmeat
  - ci-cd
  - red-team
  - open-source
  - supply-chain
  - poutine
banner: /images/articles/introducing-smokedmeat-banner.png
bannerAlt: "SmokedMeat: A Red Team Tool to Hack Your Pipelines First"
---

**TL;DR**: In March 2026, TeamPCP unleashed mayhem on the software supply chain: compromising Trivy, LiteLLM, KICS, Telnyx, and dozens of npm packages, proving that CI/CD pipelines are the softest target. Today we're open-sourcing <strong style="color: var(--accent-amber);">SmokedMeat</strong>, <strong style="color: var(--accent-amber);">the first</strong> red team framework for build pipelines (i.e. CI/CD), so defenders can finally see the full kill chain for themselves.

---

In December 2025, we [warned that threat actors were weaponizing defensive research as an offensive playbook](/articles/defensive-research-weaponized-the-2025-state-of-pipeline-security), citing [`poutine`](https://github.com/boostsecurityio/poutine) and our [LOTP catalog](https://boostsecurityio.github.io/lotp/) on [BreachForums](https://en.wikipedia.org/wiki/BreachForums) before hitting real targets. The era of awareness ended, and the era of exploitation began.

A few months later, [TeamPCP](https://isc.sans.edu/diary/TeamPCP+Supply+Chain+Campaign+Update+007+Cisco+Source+Code+Stolen+via+TrivyLinked+Breach+Google+GTIG+Tracks+TeamPCP+as+UNC6780+and+CISA+KEV+Deadline+Arrives+with+No+Standalone+Advisory/32880) [proved us right](https://ramimac.me/teampcp/). [MegaGame10418](/articles/megagame10418-the-user-behind-hackerbot-claw) [stole the `aqua-bot` PAT from Trivy's CI pipeline](/articles/20-days-later-trivy-compromise-act-ii) using the exact Pwn Request weakness [`poutine`](https://github.com/boostsecurityio/poutine) had flagged months earlier. The campaign cascaded into [LiteLLM](/articles/teampcp-litellm-supply-chain-compromise), KICS, Telnyx, and dozens of npm packages: 70+ private repos exposed, 230+ CI secrets at risk.

[`poutine`](https://github.com/boostsecurityio/poutine) tells you *where* your pipelines are vulnerable. Our articles tell you *what happens* when someone exploits them. But defenders still can't *see the kill chain* end-to-end, and that gap is what lets findings get deprioritized while TeamPCP turns a workflow injection [into your AWS production credentials in under 60 seconds](https://www.youtube.com/watch?v=GJhab1qXNig).

We built [SmokedMeat](https://github.com/boostsecurityio/smokedmeat) to close that gap.

## SmokedMeat: like Metasploit, but for CI/CD

[SmokedMeat](https://github.com/boostsecurityio/smokedmeat) is an AGPLv3-licensed, open-source red team and post-exploitation framework for CI/CD pipelines. It walks you through the full attack lifecycle TeamPCP is running in the wild, except you're the one running it, against your own infrastructure.

1. **Reconnaissance**: Scan GitHub Actions workflows for injection vulnerabilities, ["pwn request"](https://securitylab.github.com/resources/github-actions-new-patterns-and-mitigations/) exposure, and overly permissive tokens
2. **Exploit**: Auto-craft a payload and deploy a stager via PR, issue, comment, or workflow dispatch. When the vulnerable workflow runs, a cross-platform implant phones home from the CI runner
3. **Post-exploit**: Sweep runner process memory for secrets in seconds, enumerate token permissions, collect loot
4. **Pivot**: Exchange OIDC tokens for AWS/GCP/Azure access, discover private repos with stolen PATs and run embedded [Gitleaks](https://github.com/gitleaks/gitleaks) to surface hardcoded credentials, probe SSH deploy keys, and map the full blast radius in a live visual attack graph

[Brisket](https://github.com/boostsecurityio/smokedmeat/tree/main/cmd/brisket) is to CI/CD runners what Meterpreter is to endpoints: a purpose-built, domain-specific post-exploitation implant, not a raw shell. [H.D. Moore](https://en.wikipedia.org/wiki/H._D._Moore), creator of Metasploit, gave it his blessing: *"Fully supportive of the Metasploit comparison."*

SmokedMeat stands on the shoulders of [Adnan Khan](https://adnanthekhan.com)'s [Gato-X](https://github.com/AdnaneKhan/gato-x), which pioneered self-hosted runner exploitation. Where Gato-X leaves off, at the initial shell, SmokedMeat picks up: full kill chain, C2, cross-platform implant, cloud pivot.

<div style="display: grid; grid-template-columns: 1fr 1fr; gap: 0.5rem; margin: 1.5em 0;">
  <img src="/images/articles/inline/introducing-smokedmeat-recon.png" alt="SmokedMeat Counter TUI: recon phase showing discovered workflows, injection points, and secrets" />
  <img src="/images/articles/inline/introducing-smokedmeat-wizard.png" alt="SmokedMeat Payload Wizard: guided exploit configuration for a workflow injection" />
  <img src="/images/articles/inline/introducing-smokedmeat-post-exploit.png" alt="SmokedMeat post-exploit phase: stolen tokens, permissions enumeration, and loot stash" />
  <img src="/images/articles/inline/introducing-smokedmeat-attack-graph.png" alt="SmokedMeat attack graph: full visual map of repositories, workflows, vulnerabilities, and pivots" />
</div>

*This is what SmokedMeat looks like from the operator's seat: a cross-platform Terminal UI (TUI) that walks you through recon, payload crafting, post-exploitation, and a live attack graph.*

## Battle-tested during Private Beta

Before open-sourcing, we put SmokedMeat in the hands of seasoned offensive security practitioners and supply chain researchers: Red Teamers at Fortune 500 companies, security teams at large enterprises, and [Piergiorgio Ladisa](https://piergiorgioladisa.com/#research), author of the first PhD thesis on modern software supply chain threats. Piergiorgio's reaction after his first run:

> *"Honestly, I was stunned. It makes the exploitation so easy."*
> — Piergiorgio Ladisa

## What you'll see in minutes

Clone the repo. Run `make quickstart`. Point it at [whooli](https://github.com/whooli), a fake company GitHub org we built as a deliberately vulnerable CI/CD playground for safe experimentation.

```console
git clone https://github.com/boostsecurityio/smokedmeat.git
cd smokedmeat
make quickstart
# Only target systems you own or have explicit written authorization to test.
```

From "anyone can comment on a public issue" to "attacker is admin in your cloud account" in minutes. Try it safely against [whooli](https://github.com/whooli), then point it at your own org to see what an attacker would.

## The era of awareness is over. This was Part 1.

Two years ago today, we [open-sourced `poutine`](/articles/unveiling-poutine-an-open-source-build-pipelines-security-scanner). The industry got awareness. What it didn't get was the ability to *feel* what a CI/CD compromise looks like from the attacker's seat.

SmokedMeat changes that. Run it. Show your CISO, in their own pipelines, what an attacker can do with the workflow injection your last [`poutine`](https://github.com/boostsecurityio/poutine) scan flagged. Then fix it, not next sprint, now. The [step-by-step tutorial](https://github.com/boostsecurityio/smokedmeat/blob/main/TUTORIAL.md) walks you through it end-to-end.

More techniques, exploit chains, and integrations ship in the repo than this post covers. Hands-on follow-ups coming in the weeks ahead.

<div style="text-align: center; margin: 2.5em 0;">
  <p style="font-size: 1.1em; margin-bottom: 0.75em;">If you liked it, give it a <a href="https://github.com/boostsecurityio/smokedmeat"><img src="/images/articles/inline/github-stars-logo.png" alt="GitHub Star" data-no-lightbox style="display: inline; vertical-align: middle; height: 1.6em; margin: 0 0.15em;" /></a> on <a href="https://github.com/boostsecurityio/smokedmeat">GitHub</a>.</p>
  <p style="color: var(--text-muted); font-size: 0.95em;">Share it. Contribute. An open-source project from <a href="https://labs.boostsecurity.io/">Boost Security Labs</a>.</p>
</div>

## Come see us demo it live on stage

We'll be demoing SmokedMeat at two conferences this year:

- **[NorthSec](https://nsec.io/session/2026-living-off-the-pipeline-defensive-research-weaponized.html)** - May 14-15, Montréal, Canada
- **[TROOPERS](https://troopers.de/troopers26/conference/)** - June 24-25, Heidelberg, Germany

The talk is called *"Living Off The Pipeline: Defensive Research, Weaponized"*, the same story, told live, with demos.

---

<small>

**On the naming, for those keeping score.** Our open-source tools are named after Montréal deli staples: `poutine` (the scanner), then [`bagel`](https://github.com/boostsecurityio/bagel), and now [`smokedmeat`](https://github.com/boostsecurityio/smokedmeat). If you've never been to [Schwartz's](https://en.wikipedia.org/wiki/Montreal-style_smoked_meat) on Saint-Laurent, picture a decades-old institution where brisket sits in a smoker until transcendent, then gets hand-sliced at the counter and tucked into rye. The metaphor writes itself: the [**Counter**](https://github.com/boostsecurityio/smokedmeat/tree/main/cmd/counter) is the operator TUI (where you sit), the [**Kitchen**](https://github.com/boostsecurityio/smokedmeat/tree/main/cmd/kitchen) is the TeamServer C2 (where the orders come in), the [**Brisket**](https://github.com/boostsecurityio/smokedmeat/tree/main/cmd/brisket) is the implant (the meat of it all), the **Smoker** is the CI runner it executes inside, and the [**Rye**](https://github.com/boostsecurityio/smokedmeat/tree/main/internal/rye) is the stager payload that delivers it. Montréalers will get it immediately. The best poutine in the city is at [La Banquise](https://en.wikipedia.org/wiki/La_Banquise), and the best bagels are at [St-Viateur](https://en.wikipedia.org/wiki/St-Viateur_Bagel).

</small>