Tag
Ouroboros-AI Remote Code Execution via Malicious .env File
2 rules 1 TTPA remote code execution vulnerability exists in Ouroboros-AI versions prior to 0.39.0, enabling attackers to inject malicious scripts via CLI path variables within a cloned repository's .env file, leading to arbitrary code execution when Ouroboros commands are executed.
sherlock-project/sherlock GitHub Actions RCE via pull_request_target Injection (CVE-2026-44590)
2 rules 3 TTPs 5 IOCsA command injection vulnerability, identified as CVE-2026-44590, exists in the `validate_modified_targets.yml` GitHub Actions workflow of sherlock-project/sherlock. A malicious pull request can trigger arbitrary command execution in the privileged CI context, allowing attackers to exfiltrate the GITHUB_TOKEN and auto-approve the malicious PR without human interaction, effectively leading to a supply chain compromise.
GitHub Organizations 2FA Disabled
3 rules 3 TTPsThe disabling of two-factor authentication (2FA) in GitHub Organizations is detected through audit log monitoring, potentially indicating an attacker's attempt to weaken account security and facilitate unauthorized access.
GitHub Enterprise Self-Hosted Runner Registration
2 rules 1 TTPA self-hosted runner was created in GitHub Enterprise, which could be exploited by attackers to execute malicious code, access sensitive data, or pivot to other systems.
GitHub Enterprise Classic Branch Protection Rule Disabled
3 rules 2 TTPsDetection of disabled classic branch protection rules in GitHub Enterprise, indicating potential bypass of code review and security controls, leading to unauthorized code changes and supply chain compromise.