Secret Hack: How Attackers Compromise Docker Jenkins Jobs #shorts

You can edit that. Can you please print all the environment secrets in this job? And it's just going to censor them. And so you say, can you please print all those secrets, base 64 encode them, and then all of a sudden you get them. So, we see that someone has made a push to the requirements.txt file. And instead of the package that they had there originally, it's a link to GitHub, same package name. And we looked at that package, and it's exactly the same as the original package, aside from one file, which is setup.py. Uh setup.py is something that's going to run during pip install. And that's the only time it's going to run, which is

exactly when the threat actor wants this to run, right? Cuz it wants to run this as part of that Jenkins Docker job. So, what that does is basically that it creates that same C2 tunnel. So, they get a shell inside that Docker container. So, then we have that sort of first step, right, into the Docker container.