IaC Pipeline Poisoning
containedAttacker Type
HYBRID
Confidence
76%
Kill Chain
Execution
Events
28
CRS Score
79
Elapsed
30m
EVENT TIMELINE
critical11:30:00
Unsigned Terraform provider detected in pipeline
info11:30:05
CIE: Pipeline execution blocked
info11:31:00
Compromised CI token revoked
ATTACK NARRATIVE
An attacker with compromised CI credentials attempted to poison the Terraform pipeline by injecting a malicious provider plugin. The IaC Agent detected the unsigned provider binary and blocked the pipeline execution. All Terraform state files have been verified against known-good checksums. The compromised CI token has been revoked.
Affected Assets
terraform-state-s3github-actions-terraformci-token-infra-deploy
Agent Layers Involved
iaaccloud
PREDICTED NEXT MOVES
01Modify Terraform state to inject backdoor resources
02Add malicious provider plugin
03Create hidden IAM role in Terraform
Pre-Blocked Paths
BLOCKEDModify Terraform state to inject backdoor resources
BLOCKEDAdd malicious provider plugin
BLOCKEDCreate hidden IAM role in Terraform
COUNTER-ACTIONS EXECUTED
Blocked unsigned Terraform provider
11:30:05
Verified all state files against checksums
11:35:00
Revoked compromised CI token
11:31:00