.webp?#)
![Epic Games Wins Major Victory as Apple is Ordered to Comply With App Store Anti-Steering Injunction [Updated]](https://images.macrumors.com/t/Z4nU2dRocDnr4NPvf-sGNedmPGA=/2250x/article-new/2022/01/iOS-App-Store-General-Feature-JoeBlue.jpg)
![Google Home app fixes bug that repeatedly asked to ‘Set up Nest Cam features’ for Nest Hub Max [U]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2022/08/youtube-premium-music-nest-hub-max.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![[The AI Show Episode 145]: OpenAI Releases o3 and o4-mini, AI Is Causing “Quiet Layoffs,” Executive Order on Youth AI Education & GPT-4o’s Controversial Update](https://www.marketingaiinstitute.com/hubfs/ep%20145%20cover.png)
Hijacking NodeJS’ Jenkins Agents For Remote Code Execution
Security researchers recently uncovered a critical vulnerability in Node.js’s continuous integration infrastructure that allowed attackers to execute malicious code on internal Jenkins agents, potentially leading to a devastating supply chain attack. When multiple DevOps platforms work together to execute pipelines for a single GitHub repository, it begs the question: Do these platforms get along? In […] The post Hijacking NodeJS’ Jenkins Agents For Remote Code Execution appeared first on Cyber Security News.
Security researchers recently uncovered a critical vulnerability in Node.js’s continuous integration infrastructure that allowed attackers to execute malicious code on internal Jenkins agents, potentially leading to a devastating supply chain attack.
When multiple DevOps platforms work together to execute pipelines for a single GitHub repository, it begs the question: Do these platforms get along? In the case of Node.js, the answer was a concerning “not always.”
Security firm Praetorian revealed on April 30, 2025, that they had discovered serious security gaps in Node.js’s CI/CD pipeline architecture. The vulnerability allowed attackers to bypass security checks and execute arbitrary code on internal Jenkins agents that build and test the world’s most popular JavaScript runtime environment.
“The core issue stems from a Time-of-Check-Time-of-Use (TOCTOU) vulnerability between initiating a CI build and the moment the Jenkins job checks out the code,” explained Node.js’s Technical Steering Committee in their disclosure.
This vulnerability potentially affected millions of downstream users who rely on Node.js for their applications.
The attack exploited a fundamental flaw in how Node.js’s GitHub Actions workflows communicated with Jenkins pipelines. An attacker could submit a legitimate pull request, wait for maintainer’s approval, and the addition of a request-ci label, then push new malicious code with a forged Git commit timestamp predating the label event.
This timestamp forgery allowed attackers to bypass Node’s checkCommitsAfterReviewOrLabel() function, effectively smuggling unreviewed, potentially malicious code into Jenkins pipelines.
Once executed, this code could install persistence on Node.js Jenkins test infrastructure, potentially compromise Jenkins credentials, and facilitate lateral movement through internal networks.
Even more concerning, Node.js’s internal investigation revealed that a similar vulnerability existed in their “commit-queue” process, which could have allowed attackers to inject malicious code directly into the main branch, potentially enabling a supply chain attack affecting all Node.js users.
The Node.js security team responded rapidly to Praetorian’s March 21 report. They immediately restricted access to Jenkins CI runs and identified and rebuilt 24 compromised machines.
By April 1, they had implemented crucial security improvements, replacing date validation with approved SHA checks to remediate both vulnerabilities.
“Comprehensive audits were carried out across 140 Jenkins jobs, prioritizing frequently used ones, to detect and remediate vulnerabilities,” the Node.js team reported. The team also temporarily disabled vulnerable GitHub workflows until they could be patched with enhanced security measures.
This incident highlights the increasing complexity of modern CI/CD pipelines, especially when they span multiple platforms. As organizations rely more heavily on automated pipelines for software delivery, the security boundaries between these systems become critical attack vectors.
“Managing and securing relationships between several DevOps platforms is challenging, especially when it’s the end-user’s responsibility,” noted Praetorian in their report. Their three-day investigation confirmed that even well-managed systems can have security gaps where platforms intersect.
This incident underscores the importance of rigorous security testing focused on the boundaries between systems for organizations using multi-platform CI/CD pipelines.
As Node.js demonstrated, responding rapidly to security reports and implementing robust verification mechanisms is crucial for maintaining trust in the software supply chain.
The Node.js team has earned praise for their transparent handling of the incident and comprehensive remediation efforts, demonstrating a commitment to security that sets an example for open-source projects worldwide.
Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
The post Hijacking NodeJS’ Jenkins Agents For Remote Code Execution appeared first on Cyber Security News.
