Github Self-Hosted Runner Execution

Rule Info

Name
Github Self-Hosted Runner Execution
Author
Daniel Koifman (KoifSec)
Description
Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution. Shai-Hulud is an npm supply chain worm targeting CI/CD environments. It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
Reference
https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
Date
2025-11-29 00:00:00
Modified
None
Id
5bac7a56-da88-4c27-922e-c81e113b20cb
Tags
attack.command-and-control attack.t1102.002 attack.t1071
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=5bac7a56-da88-4c27-922e-c81e113b20cb

Rule History

Author
Title
Date
Commit
Koifman
Merge PR #5782 from @Koifman - Add `Github Self-Hosted Runner Execution`
2025-12-04
0aa29891d
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022