Since then, the topic has received quite a bit of buzz. Threat actors are even picking up on the technique, as we saw with the Ultralytics supply chai

Cacheract: The Monster in your Build Cache – Adnan Khan

submited by
Style Pass
2025-01-09 23:30:04

Since then, the topic has received quite a bit of buzz. Threat actors are even picking up on the technique, as we saw with the Ultralytics supply chain attack.

GitHub has made some changes to how caching works. Sometime in November, GitHub added a restriction that blocks saving cache entries after the conclusion of a workflow job. This reduces the effectiveness of the “cache stuffing” technique. This technique allowed you to clear reserved cache entries and replace them with poisoned entries using a single Cache JWT.

Now, I am releasing a proof-of-concept tool. It automates the entire process from within a build. It leaves almost no trace. Meet Cacheract.

You can find it at https://github.com/adnaneKhan/cacheract. It is open-source under the MIT License and open for bug reports, contributions and suggestions! I hope it will become a useful tool for Red and Purple Teamers. They can use it to demonstrate the impact of insecure GitHub Actions CI/CD caching configurations on their assessments.

Please understand that like many offensive security tools, if used for malicious purposes Cacheract can cause damage. Please only use it for ethical security research and educational purposes.

Leave a Comment