Écoutez la diffusion
For years, we wrote the defensive manuals. We built the "Living Off The Pipeline" (LOTP) inventory and released poutine to help you find the vulns. We even spoke at NorthSec about the theoretical risks of Build Pipeline compromise.
We have bad news: The Threat Actors were "in the room" taking notes.
In early 2025, we found the "smoking gun." A Threat Actor on BreachForums laid out the full attack plan for a 0-day compromise of a major Open Source project, giving a direct shout-out to our poutine scanner and LOTP research as the source. Our defensive work has become their offensive playbook.
In this talk, we stop playing defense.
Introducing SmokedMeat: The "Metasploit for CI/CD."
Our research team has a saying: 2025's Build Pipelines look like the average 2005 PHP Web App in terms of secure coding. They are wide open to "pwn requests" and command injections that lead to secrets exfiltration or privilege escalation via overprivileged tokens. SmokedMeat is the first Open Source Red Team framework designed to commoditize these compromises, demonstrating exactly what happens when a Threat Actor turns your infrastructure against you.
We will demonstrate a full exploitation chain: pivoting from unprivileged anonymous access on public repositories to private repository and intellectual property theft, the "gone in 60 seconds" jump from a workflow runner directly to permanent Cloud Admin, and the ability to escape ephemeral job contexts to implant permanent backdoors on your build infrastructure.
The era of "awareness" is over. This talk is a live demonstration of why your current CI/CD security strategy is already obsolete.
François Proulx VP of Security Research, BoostSecurity.io
François Proulx is the VP of Security Research at BoostSecurity.io and the co-creator of the poutine Open Source CI/CD scanner. He co-founded the "Living Off The Pipeline" (LOTP) project to describe the abuse of build tools for lateral movement. After spending years teaching defenders how to secure their workflows, he is now demonstrating how attackers are dismantling them.