CI/CD supply chain attack on Azure Karpenter Provider open-source project

An independent security researcher, on August 31st, 2024, demonstrated a successful supply chain attack on Azure Karpenter Provider, an open-source project maintained by Microsoft. A vulnerable GitHub Actions workflow led to this attack. The researcher successfully exploited the vulnerability and gained access to the workflow's GITHUB_TOKEN, which had "id-token: write" permission to the repository.

Karpenter is legit 10/10. When deployed it saved us 15~% of our cpu spend.