Max CM Security Architect and Red Team Lead, Figment
Max Courchesne-Mackie is a cyber security professional with over a decade of experience spanning defense, red teaming, and blockchain security. Max currently serves are a Security Architect at Figment, the leading independent staking infrastructure provider globally. He began his career in the defense industry focused on offensive security, a discipline that remains his core passion and informs his pragmatic approach to risk. Today, Max designs and reviews secure systems for the blockchain industry - an environment facing relentless, rapidly evolving threats. He partners with engineering and product teams to harden architectures, pressure-test assumptions, and translate attacker tradecraft into practical controls. Max's recent work centers on threat modeling for decentralized systems, secure key and wallet management, and building detection/response mechanisms that assume breach.
Talk: Commit, Push, Compromise: Attacking Modern GitHub Orgs
Talks will be streamed on YouTube and Twitch for free.
GitHub gives attackers something they love: a place where identity, automation, and production changes meet. Once they’re in, the path from “read access” to “shipping malicious code” can be disturbingly short.
In this talk, we walk through realistic attack paths into GitHub organizations, starting with initial access techniques like device-code phishing and the abuse of trusted GitHub Apps (including the GitHub CLI). From there, we explore how different credential types enable access long-lived Personal Access Tokens that often persist on developer machines, and short-lived automation credentials like GITHUB_TOKEN that can still leak through logs, artifacts, or misconfigured workflows and then be leveraged to move laterally or expand privileges.
We highlight tactics we’ve developed and researched post-initial access: how you can abuse sensitive workflows, exploit approval and review dynamics, and find paths around policy guardrails like “protected” pipelines and code-signing rulesets. We’ll also discuss tradeoffs attackers make to reduce forensic visibility and delay detection in environments where GitHub’s native telemetry is limited.
We close with practical defender takeaways: detection strategies and response playbooks focused on the signals that matter and how to improve monitoring coverage in the places GitHub is hardest to observe.
Attendees will leave with a shared framework that’s useful on both sides of the table. Defenders will get a checklist for reducing risk across identities, tokens, integrations, and Actions workflows plus concrete ideas for building higher-signal detection and response in places where visibility is lacking. Red teams will gain a realistic map of where GitHub controls tend to break down in practice, along with a set of hypotheses to test during assessments that go beyond “find a secret in a repo.” The goal is to walk out with sharper intuition for how small weaknesses chain into meaningful impact, and practical ways to either validate that risk (red teams) or eliminate it (blue teams) without grinding delivery to a halt.