Changing Nothing, Yet Changing Everything: Exploring Rug Pulls in GitHub Workflows

Speaker: Edoardo Riggio, USI

Abstract: Software supply chain attacks have become a significant threat to modern software systems. By exploiting the complex and transitive nature of dependencies, malicious actors have been able to perform significant attacks, also taking advantage of the dynamic relationship between software components and their dependencies. In Continuous Integration and Continuous Deployment (CI/CD) ecosystems such as GitHub Actions, developers assemble workflows out of reusable Actions. However, these Actions–in particular JavaScript ones–come with an intricate network of dependencies. As they evolve, these dependency networks expose GitHub CI/CD pipelines to subtle vulnerabilities that may be introduced without any modification of the workflows themselves. This paper investigates such phenomenon, which we call "rug pull" within GitHub workflows. 

Biography: Edoardo Riggio is currently a PhD candidate in the DESIGN research group under the supervision of Prof. Dr. Cesare Pautasso. He graduated at USI in Informatics and later in Software and Data Engineering. Edoardo’s research focuses on the security of software supply chains in DevOps environments.

Chair: Alessandro Giagnorio