A security researcher uncovered a critical vulnerability in the Node.js CI/CD pipeline that allowed for remote code execution on internal Jenkins agents and posed a significant supply chain risk. The attack stemmed from how Node.js orchestrated workflows using GitHub Actions, Jenkins, and a custom GitHub App. The flaw allowed a threat actor to smuggle unreviewed code into Jenkins pipelines by forging Git commit timestamps—tricking the system into believing that malicious commits occurred before maintainers had approved the pull request. This desynchronization between platforms opened the door to persistent code execution, potential lateral movement, and exfiltration of Jenkins credentials.
The attacker exploited this logic gap by submitting a legitimate pull request, waiting for it to receive the necessary labels and approval, then immediately pushing a forged-timestamp commit containing a payload. This payload modified build scripts to install a rogue GitHub Actions runner connected to the attacker’s repository, giving them persistent access to over a dozen Jenkins agents.