Skip to content
海博賽特
海博賽特
最初的旅程:一個人,也能啟動一個世界
Security termdock

Pangolin — We're in the $ecur1ty H4ckath0n and Need Your Vote

This May, one automated campaign backdoored 5,561 GitHub repos in six hours — targeting CI/CD pipelines, not application code. The knowledge to catch these attacks exists, but it's locked in researchers' private notes. Pangolin is here to change that.

Switch languageZH
Contents +

Why we built Pangolin

This May, one automated campaign backdoored 5,561 GitHub repositories in six hours. It didn't touch a single line of application code — it went after the CI/CD pipelines that build and ship it.

Days earlier, an attacker pushed 84 malicious versions across 42 @tanstack/* npm packages by chaining pull_request_target abuse, GitHub Actions cache poisoning, and OIDC token theft straight from runner memory.

Same lesson both times: the pipeline is the target now. And workflow files get reviewed far less carefully than the code they ship.

Here's the part that bothers me most. The knowledge to catch these attacks already exists — it's just locked inside security researchers' private notes, one-off scripts, and manual reviews. The developer defending their own repo never gets to use it.

I don't think your ability to defend your own pipeline should depend on whether you happen to follow the right researchers on the internet.

What Pangolin does

Pangolin is a CI/CD security scanner built by Termdock. It does three things:

  1. Scans your GitHub Actions workflows using regex patterns cross-validated with Semgrep to flag known risky patterns
  2. Uses LLM attack chain analysis to determine whether those patterns are actually exploitable in your specific workflow context
  3. Generates auto-fix PRs — not just telling you what's wrong, but fixing it for you

It connects to Sola's MCP to pull live GitHub workflow data and runs a three-stage analysis pipeline. All 17 Semgrep patterns covered.

This isn't guesswork. Over the past few months I've submitted 29 vulnerability reports to Google, Microsoft, GitLab, and other major programs. I can't discuss the undisclosed ones yet — but that work is exactly why I know the gap is real, and exactly what Pangolin is built to close.

Why your vote matters

Pangolin is early. This hackathon is its first public test — it's now competing in the $ecur1ty H4ckath0n hosted by Sola Security, and this round is decided by public vote.

A vote here isn't a favor. It's a vote for defensive security tooling being open and in developers' hands — not trapped in private notes.

If that's a direction you want to exist, I'd genuinely value yours:

Vote here →

First place wouldn't just be a prize. It'd be a signal that enough people want this to make it worth going all in. Any prize money goes straight back into the research and the open-source work.