Runner Guard Flags Obfuscated Payload Execution in 36 GitHub Actions Workflows: 38 High-Severity IOC Matches

A sweeping static-analysis scan by Runner Guard has uncovered 38 high-severity instances of suspicious payload execution patterns embedded across 36 unique GitHub Actions workflows. Rule RGS-018 triggered on code blocks in repository `run:` directives that match known indicators of compromise (IOCs) drawn from active supply chain attack campaigns—suggesting either active exploitation or critical susceptibility to credential-harvesting and arbitrary-code-execution vectors.

The flagged patterns span a range of obfuscation techniques commonly associated with malicious CI/CD pipelines. These include chained `eval` statements paired with base64 decoding routines (`eval(base64.b64decode(...))`, `base64 --decode | bash`), malware marker variables, persistence file paths, and detected command-and-control (C2) communication signatures. Each pattern was identified through Runner Guard's threat signature database, indicating the signatures correspond to documented attack infrastructure or tooling. The concentration within workflow `run:` blocks means the malicious logic executes within the CI/CD runner environment—a high-privilege context with access to secrets, tokens, and deployment pipelines.

The findings carry serious supply chain implications. A match against a confirmed IOC signals an active compromise, while a match against a dangerous execution pattern reveals systemic exposure to a class of attack that bypasses basic code review by hiding payloads in encoded form. Workflows processed by shared runners are particularly at risk, as a single compromised workflow can exfiltrate secrets, alter build artifacts, or pivot into downstream systems. Security teams should treat the affected workflows as potentially compromised, rotate any secrets present in those contexts, and conduct forensic review of recent execution logs. The breadth of the finding—36 distinct workflows across potentially multiple repositories—points to either a coordinated campaign or a compromised upstream template in common use.