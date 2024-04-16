Two weeks before compromising a domain-joined Microsoft server, former coworker Adnan Khan discovered a critical supply chain vulnerability in GitHub’s Runner Images. Inspired by this attack and CI/CD research we’d performed during Red Team engagements, we teamed up to see who else was vulnerable.

Microsoft DeepSpeed was our first joint target, and my first time ever performing public vulnerability research.

During our attack on DeepSpeed, we compromised a server joined to Microsoft’s largest Active Directory domain with the privileges of a Microsoft Senior Developer.

This is the story of how we breached Microsoft, kick-started a partnership that would change the landscape of self-hosted GitHub CI/CD security, and the growing pains we experienced along the way.