SmokedMeat: Open-source tool shows what attackers do inside CI/CD pipelines

Source: Help Net Security

Author: Mirko Zorz

ONE SENTENCE SUMMARY:

SmokedMeat is an open-source tool simulating real CI/CD exploit chains to demonstrate impact, prioritize fixes, and prevent supply-chain cascades.

Boost Security released SmokedMeat to emulate attacker behavior inside CI/CD environments.
It begins from a flagged pipeline vulnerability and executes a live, end-to-end exploit.
Demonstrations include deploying payloads and compromising CI/CD runners within target infrastructure.
The framework extracts credentials directly from process memory after runner compromise.
Stolen secrets can be exchanged for cloud access to expand attacker control.
Private repository exposure is simulated to show code and supply-chain compromise potential.
Blast-radius mapping helps quantify how far a single pipeline flaw can propagate.
CEO Zaid Al Hamami highlighted pivoting to implant malware and infect developer workflows.
TeamPCP (March 2026) compromised major tools and many npm packages using known techniques.
Unpatched vulnerabilities previously flagged by Boost’s Poutine scanner illustrated remediation deprioritization risks.

Seeing exploitation on your own infrastructure drives faster, better remediation decisions.
Pipeline vulnerabilities can rapidly escalate into cloud compromise and broad lateral movement.
Static findings like “workflow injection” often understate real-world attacker capabilities.
Supply-chain campaigns can cascade when known CI/CD weaknesses remain unpatched.
Free, open-source attack-simulation frameworks can operationalize CI/CD security improvements.