What starting position does this attack require?

The first step is Authenticate to cloud (T1078) — a initial access primitive. Assumed environment: open-source repo with CI logs left public.

What is the final impact of this kill-chain?

The final step lands on Identify leaked credential (CI-SECRET-IN-LOG), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

Secret echoed to public build log → cloud takeover

A workflow accidentally runs `env` or `set -x` during debugging — the AWS access key is now in public CI logs and indexed by Google Cache / GitHub search.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Authenticate to cloud

T1078 · Valid Accounts

Discovery

Enumerate IAM / project

T1087 · Account Discovery

Reconnaissance

Search public CI logs for AWS_/AZURE_/GCP_ patterns

W-RECON-GITHUB-DORK · GitHub / GitLab Dorking

Collection

Mass data exfil

C-S3-EXFIL · S3 / Blob / GCS Mass Exfil

Privilege Escalation

Privilege escalation (PassRole / SA impersonation)

C-AWS-IAM-PASSROLE · AWS iam:PassRole Chain

Credential Access

Identify leaked credential

CI-SECRET-IN-LOG · Secret Echo to Build Log

§ Context

Assumed environment: open-source repo with CI logs left public. At least one PR or merge introduced a debug step that dumped environment variables.

§ Steps

01
Authenticate to cloudInitial Access
T1078— Valid Accounts
02
Enumerate IAM / projectDiscovery
T1087— Account Discovery
03
Search public CI logs for AWS_/AZURE_/GCP_ patternsReconnaissance
W-RECON-GITHUB-DORK— GitHub / GitLab Dorking
04
Mass data exfilCollection
C-S3-EXFIL— S3 / Blob / GCS Mass Exfil
05
Privilege escalation (PassRole / SA impersonation)Privilege Escalation
C-AWS-IAM-PASSROLE— AWS iam:PassRole Chain
06
Identify leaked credentialCredential Access
CI-SECRET-IN-LOG— Secret Echo to Build Log

§ References

T1078Valid Accounts
T1087Account Discovery

§ Frequently asked

What is the "Secret echoed to public build log → cloud takeover" attack path?: A workflow accidentally runs `env` or `set -x` during debugging — the AWS access key is now in public CI logs and indexed by Google Cache / GitHub search. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Authenticate to cloud (T1078) — a initial access primitive. Assumed environment: open-source repo with CI logs left public.
What is the final impact of this kill-chain?: The final step lands on Identify leaked credential (CI-SECRET-IN-LOG), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

Secret echoed to public build log → cloud takeover

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

Slack token in CI log → DM history → vendor mailbox compromise

Self-hosted runner takeover → persistent CI compromise

pull_request_target injection → secrets → cloud takeover

Public bucket → CI/CD secret leak → cloud takeover

Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)