We detonated the backdoored Telnyx SDK inside a GitHub Actions runner and traced its behavior end-to-end (at @garnet_labs ).
What we observed:
- import telnyx triggers a backdoor at runtime
- A base64-decoded payload is executed
- A persistent TCP connection is established to 83.142.209.203
- The parent process exits, but the malicious child continues running (reparented to systemd)
From the outside, the pipeline appears to complete normally.
At runtime, the process is still active.
This kind of visibility is what makes it possible to understand how these attacks actually behave in real environments.
cc: @farrukhkjadoon
Full runtime trace: https://t.co/mbtf9Pf6i5
Pinning helps, but this one only got caught because it crashed.
We saw 1.82.8 in CI probing env vars, touching credential files, spawning interpreters under site-packages, all during install.
None of that shows up in logs. If it didn’t OOM, it would’ve looked like a normal run.
That’s the scary part, not just bad releases, but no visibility into what actually happens inside the runner.
Full Report: https://t.co/BQMOaPQRgT
This lines up with what we saw running 1.82.8 in CI.
The install didn’t just “run”, it spawned interpreters under site-packages, read env/credential files, and made outbound calls from inside the runner.
None of that shows up in logs. You just see a successful install.
That’s the real issue pipelines execute code with full access to secrets, but there’s no visibility into what actually happened.
We wrote up what we saw at runtime here: https://t.co/BQMOaPQRgT
Yeah, nothing to do with agents.
We saw the same thing running it in CI, install step probing env vars, touching credential files, spawning interpreters from site-packages.
All happening inside the runner, with no visibility unless you’re profiling execution.
That runtime gap is what these attacks rely on.
Full trace: https://t.co/BQMOaPQRgT
This is exactly what we saw running 1.82.8 in CI.
The install step was probing env + cloud creds, spawning interpreters under site-packages, and making outbound calls, all inside the action runner.
None of that shows up in logs, you just see “install succeeded.”
That lack of runtime visibility in GitHub Actions is what lets these spread.
Read our full report here: https://t.co/BQMOaPQRgT
Post–Shai-Hulud, the lesson is simple: many attacks look normal until runtime behavior drifts.
We’re building Garnet to surface that drift in CI—early, with context, and without alarmism.
Write-up ↓
https://t.co/BH14SIIqGM
@Bittensor runs real execution across open, distributed, economically-incentivized systems. That makes runtime behavior just as important as code review.
We ran @garnet_labs against a fork of the core Bittensor repo in CI to see what actually happens at execution time.
We also saw dynamic linker configuration via LD_LIBRARY_PATH.
Not malicious here, GitHub runners use it to load system runtimes from non-standard paths. But it’s a known execution-hijack primitive if pointed at user-writable locations, which is why runtime context matters.
@denis_n_ko@brankopetric00 Hey @denis_n_ko yeah absolutely. We are building for this exact use case. Check us out: https://t.co/iAPw7nCvcK
Happy to give you a personalized onboarding.
Absolutely! base image scanning is non-negotiable.
The gap we keep seeing is that even with perfect shift-left hygiene, some payloads only activate after deployment: post-install scripts, injected binaries, or rogue processes waking up at runtime.
Pairing image scanning with runtime behavioral monitoring (unexpected execs, outbound calls, privilege changes) closes that loop.
Good catch!! npm postinstall scripts are a massive blind spot.
The danger isn’t just what runs at install time, it’s when those scripts later trigger exfiltration or spawn shells under normal runtime conditions.
This is where runtime correlation matters:
interpreter → shell → outbound
That sequence is how you catch data theft or C2 behavior as it happens.
https://t.co/G9rDEWu00G is one such useful tool to get these runtime insights. Do check it out.
Great catch!! DNS exfil like this shows how stealthy runtime threats slip past static scans.
Once a compromised process starts encoding data and beaconing out via DNS or HTTP, only runtime flow correlation (process + network + DNS) can surface it fast enough.
That’s exactly what we focus on at https://t.co/G9rDEWtsb8: catching data exfil and C2 behaviors as they happen, not after.