Topic : Software supply chain, DevSecOps, CI/CD security
Firm : AGCG Genuine Consulting Group
⏱ Reading time : ~9 minutes
Target audience : COMEX, CIOs, CISOs, CTOs, DevSecOps managers
AGCG Watch Note – When the development chain becomes the primary attack surface.
Topic : Software supply chain, DevSecOps, CI/CD security
Firm : AGCG Genuine Consulting Group
Supply chain / CI/CD attacks are no longer exceptional events: they are becoming a standard mechanism for compromising thousands of systems in a single operation.
For attackers, compromising the chain that produces the software is often more effective than targeting each application individually.
Since SolarWinds, Codecov, 3CX, and the compromise of widely used open source dependencies (Log4j, XZ Utils), supply chain attacks are no longer anomalies, but a well-established attack method. Attackers have realized that it’s often more effective to compromise the system that produces and distributes software... than the software itself.
DevOps environments and CI/CD pipelines now contain critical assets for businesses: source code, secrets, production access, SaaS integrations, container images, industrialization pipelines. They have become prime targets.
A modern application primarily relies on open source components (libraries, frameworks, tools). Attackers now target maintainers, popular packages, abandoned repositories, and exploit automatic updates to spread silently.
CI/CD pipelines contain everything an attacker dreams of: tokens, SSH keys, application secrets, access to registries and clusters, rights to staging and production environments. In many organizations, these pipelines are insufficiently isolated, poorly logged, and rarely audited for security.
“Dependency confusion” attacks exploit the fact that internal applications use package names identical to those of public registries. By publishing a malicious package with the same reference on a public registry, the attacker can force misconfigured pipelines to consume the compromised version.
GitHub, GitLab, Jira, CircleCI, SonarQube, Artifactory, Cloud registries, testing platforms… The interconnected tool ecosystem is exploding. Each integration adds an attack surface, especially when authentication is weak, permissions too broad, and logs incomplete.
Attackers publish malicious packages on public registries (npm, PyPI, RubyGems, Maven Central, etc.). These packages embed code designed to steal secrets, exfiltrate source code, or deploy cryptocurrency mining.
By targeting runners, CI hooks, or authentication tokens, the attacker can manipulate build steps, insert malicious code into binaries, and retrieve secrets or sensitive artifacts. Once the pipeline is compromised, it becomes an ideal propagation vector.
Targeted phishing, password reuse, attacks on developers’ personal accounts contributing to critical projects: once the account is compromised, the attacker can push legitimate-looking but malicious versions to trusted repositories.
Image registries contain the base containers used by thousands of applications. A compromised or unmaintained image can propagate massive vulnerabilities across the entire ecosystem.
A compromised CI/CD chain is not visible in traditional dashboards: applications continue to deploy, tests pass, pipelines are “green.” Yet, the produced code may already be modified, instrumented, or weakened.
A single compromised dependency can affect thousands, even millions, of systems. A single vulnerable container image can be deployed across dozens of microservices and client environments.
A successful supply chain attack undermines trust in the entire value chain: publisher, integrator, operator, ecosystem. It generates significant regulatory, contractual, and reputational impacts, especially for SaaS players.
Several frameworks converge on the measures to implement: NIST SSDF, CISA Secure by Design & Secure CI/CD, OWASP SCVS, as well as recommendations from GitHub Security Lab or Sonatype.
In the DevSecOps and CI/CD audits performed by AGCG, a strong trend emerges: most organizations significantly underestimate their supply chain exposure.
In this context, even the slightest compromise of an account, pipeline, or registry can have a disproportionate impact compared to the initial incident.
It’s not just about “hardening CI/CD,” but about taking control of the software lifecycle, from design to production, by integrating security as a native property of the pipeline.
“Software supply chain has become one of the few points where a single action by an attacker can generate thousands of victims. Regaining control of the CI/CD chain means regaining control of your software sovereignty.”
— AGCG Genuine Consulting Group
Supply chain & CI/CD attacks represent one of the most asymmetric risks in the cyber landscape: a single compromised dependency, a single vulnerable pipeline, a single exposed secret can trigger system-wide impacts.
For organizations, the question is no longer whether they will be targeted through their software supply chain, but whether they will be ready when it happens. Taking control of the development cycle and CI/CD becomes a pillar of global resilience.
At AGCG, we help companies transform their CI/CD pipelines into trusted assets: audited, hardened, monitored, and aligned with international standards, making the software supply chain a differentiating factor rather than a weak point.