Living Off The Pipeline: Defensive Research, Weaponized

We created “Living Off The Pipeline” (LOLBAS for CI/CD) and a 0-day vuln scanner, then we saw Threat Actors on BreachForums were paying attention. Enter the “Metasploit for CI/CD.” In this live kill-chain, we exploit “pwn requests” to pivot from a public GitHub repo to private repos. We show how anonymous users gain “insider” privileges to exfiltrate secrets, poison releases, and escalate to Cloud Admin.

For years, our research team wrote the defensive manuals. We built the “Living Off The Pipeline” (LOTP) inventory and released poutine (our open-source vulnerability scanner) to help defenders find the holes. But we have bad news: Threat Actors were taking notes. In early 2025, we found the “smoking gun” on BreachForums: a full attack plan for a 0-day compromise giving a direct shout-out to our defensive research as the source. Our work had become their offensive playbook.

In this talk, we stop playing defense. We introduce SmokedMeat, the “Metasploit for CI/CD.”

Our research shows that 2025’s Build Pipelines look like the average 2005 PHP Web App in terms of secure coding, wide open to “pwn requests” and command injections. SmokedMeat is the first Open Source Red Team framework designed to commoditize these compromises, demonstrating exactly what happens when a Threat Actor turns your infrastructure against you.

We will demonstrate a full exploitation chain:

1. Reconnaissance: Pivoting from unprivileged anonymous access on public repositories using poutine to find the weak spots.
2. Exploitation: Stealing private repository secrets and intellectual property via automated “pwn requests”.
3. Persistence: The “gone in 60 seconds” jump from an ephemeral workflow runner directly to permanent Cloud Admin, implanting backdoors on build infrastructure.

The era of simple “awareness” is over. This talk demonstrates why your current CI/CD security strategy is already obsolete.