Q&A

Threats from the Shadows: Securing the CI/CD Pipeline Against Modern Attacks

A deep dive into how attackers exploit overlooked weaknesses in CI/CD pipelines and software supply chains, and how .NET and DevOps teams can use automation and modern practices to detect and mitigate stealthy threats before they reach production.

• By David Ramel
• 02/09/2026

As software teams accelerate release cycles with increasingly automated CI/CD pipelines, their software supply chains have become high-value targets for attackers. From package tampering to compromised build scripts, the attack surface has grown well beyond just application code.

Unfortunately, many development teams remain unaware of the subtle vulnerabilities lurking within their own workflows -- misconfigurations, outdated project formats, and dependency sprawl that can silently expose them to breach.

In their session "Threats from the Shadows" at the March 16-20 Visual Studio Live! Las Vegas developer conference, GitHub staff DevOps architects Mickey Gousset and Ken Muse will spotlight some of the hidden risks threatening modern software delivery. Aimed at developers and DevOps professionals working in .NET and Azure environments, the March 19 session will walk attendees through real-world exploit scenarios -- like the recent Shai-Hulud attack that compromised tens of thousands of repositories -- and share practical strategies to identify and mitigate vulnerabilities across the pipeline.

From modernizing .NET project structures to implementing automated security tooling and inventorying transitive dependencies, Mickey and Ken aim to arm attendees with actionable steps they can implement immediately. Their key message: securing a web application doesn't begin at runtime -- it starts the moment code is written and flows through the pipeline.

We spoke with Mickey and Ken ahead of their introductory/intermediate-level presentation to learn more about the threats they're seeing in the wild, why traditional security approaches fall short, and how teams of all sizes can adopt a more proactive, defense-in-depth mindset.

VisualStudioMagazine: What inspired you to present a session on this topic?
Mickey/Ken: In the last year, there have been several high-profile breaches that exploited overlooked vulnerabilities in development environments and CI/CD pipelines. These incidents highlighted the need for greater awareness around "threats from the shadows" -- those hidden risks that often go unnoticed until it's too late. Too many companies believe that traditional security measures or focusing solely on Common Vulnerabilities and Exposures (CVEs) are sufficient, but attackers are focusing on less obvious vectors. By the time a vulnerability is cataloged in a CVE, it has often been exploited for months.

Our goal is to equip attendees with practical strategies to identify and mitigate these stealthy threats in their environments.

When you talk about "threats from the shadows," what is one modern cyber threat you believe is most underestimated -- and why do you think it stays under the radar so long?
Package management processes. Nearly every modern application relies on third-party libraries and packages, yet many organizations fail to adequately vet these dependencies. This threat remains under the radar because speed and functionality are often prioritized over security processes when selecting and updating dependencies. Developers don't have enough time to thoroughly review every package they use, and security teams are often not involved in the process. A package provides numerous opportunities for exploitation through both its code and its contributions to the build. Without adequate process controls, vulnerabilities and malicious code can easily slip through unnoticed. When security is an afterthought, these opportunities can multiply as developers rush to meet short deadlines.

Could you describe a real-world scenario (or case study) where an organization was compromised by a "hidden" vulnerability -- and how detection or response failed?
Shai-Hulud is one of the most recent examples of this attack, affecting Zapier, Postman, and others. In a surprisingly short time, it compromised more than 28K repositories and 1K npm packages which averaged over 100 million monthly downloads. The exploit started with an exposed credential, allowing attackers to publish a malicious package which then compromised more packages. Many of the companies affected relied on looking for known vulnerabilities, but this attack exploited a zero-day vulnerability in the supply chain, making detection and response extremely difficult.

For a typical .NET / Azure-based enterprise, what is one simple but often overlooked configuration or practice that substantially improves defense against these stealthy threats?
One often overlooked practice is using modern, SDK-style .NET project formats and eliminating projects that rely on the historical packages.config file. The new format provides better security against malicious packages by ignoring install scripts that may be included in packages. By not automatically trusting these scripts, it reduces the risk of executing malicious code during package installation.

Given the evolving nature of threat actors, how do you recommend balancing preventive measures (e.g. secure coding, hardening) with proactive detection (e.g. monitoring, logging) -- especially for small or mid-sized teams?
Automation is key. Small and mid-sized teams often lack the resources for extensive manual security reviews, so leveraging automated tools for both preventive measures and proactive detection can help bridge that gap. The more you can make security an integrated, transparent part of the deployment process, the better. This includes using automated code analysis tools, dependency scanners, and monitoring solutions that can alert teams to suspicious activities in real-time.

What is one common misconception developers or teams have about what constitutes a "secure" web application -- a misconception that your session aims to correct?
Most developers assume that if the web application is secure, their system is secure. However, that system starts with the development environment, build process, and deployment pipeline. If any of these components are compromised, the security of the web application itself is at risk. Our session aims to highlight the importance of securing the entire software supply chain, not just the final product.

If an organization wanted to adopt a "zero trust" or "defense-in-depth" mindset after attending your session, what is one first concrete step they should take?
Take a comprehensive inventory of all third-party dependencies used in your applications, including development tools, libraries, and packages. You need to understand what you are using before you can secure it. Remember to include not just direct dependencies, but also transitive dependencies that may be pulled in indirectly. You're also looking for hidden dependencies -- those things that your packages may download or use at build time or runtime that aren't explicitly referenced in package manifests.

Over the next 12-18 months, what emerging risk vector (e.g. due to cloud adoption, remote work, AI-powered attacks) do you think will dominate -- and how should software practitioners start preparing now?
AI is adopting a dual role in cybersecurity. On one hand, AI-powered tools can enhance security and the coding experience. On the other hand, attackers are also leveraging AI to improve their coding experience. They craft more sophisticated attacks that evade traditional defenses. In addition, AI models and Model Context Protocol (MCP) servers introduce new attack surfaces whose attack potential is not yet fully understood. This combination of factors makes AI-driven threats a dominant risk vector in the near future.

Software practitioners should start by educating themselves on AI and the security implications. They should begin learning about the different ways AI can be exploited. For example, understanding prompt injection attacks and data poisoning. They can then consider their security posture and how to incorporate protective measures into their development and deployment processes.

How can attendees learn more about this topic, and prepare for your session?
Take a moment and review the OWASP Top 10 CI/CD Security Risks. Each item contains details about common exploit paths and examples of real-world attacks. This will provide a solid foundation for understanding the types of threats we will discuss in the session. It will also expose attendees to some of the terminology and concepts that will be covered, allowing them to get more out of the presentation.

Note: Those wishing to attend the session can save money by registering early, according to the event's pricing page. "Save $300 when you register by the Early Bird Savings deadline of Feb. 13," said the organizer of the event, which is presented by the parent company of Visual Studio Magazine.