
Vipul Gupta
Senior Software Engineer, balena | GitHub Star
Actions
Vipul Gupta is a seasoned engineer with a niche expertise in building hardtech products, scalable pipelines, & sustaining communities. He runs Mixster, an initiative to write open-source docs for startups.
Occasionally reads, meticulously documents, and continuously automates, Vipul has been part of programs like Google Summer of Code, ALiAS AMA program & Google Code-in. He is the comms lead for PyCon India, runs a 3000+ students community - ALiAS, and organizer for GitHub's GitTogether community.
Area of Expertise
Topics
How Insecure Defaults Led to Undetected Supply Chain Incident: A CI/CD Security nightmare
As an open-source company publishing packages and contributing widely, we navigate the complex balance of open code and private signing credentials for macOS, Linux, and Windows. This combination became a serious vulnerability when insecure defaults in our CI/CD pipeline created an undetected attack vector with potentially devastating consequences.
In this talk, we unpack how a 2-year-old token - exposed via a misconfigured Action, with no expiration or alerting — enabled bad actors to potentially manipulate public images and forced revocation of our code signing credentials.
We’ll walk through:
1. Our detailed forensic investigation: diffing registry images, scanning across npm, PyPI, and Docker Hub, and tracing the exposed token.
2. What went wrong: lack of artifact scanning, weak secret hygiene, and implicit trust in CI defaults.
3. Practical security improvements you can make — automated scanners, secret permissions, security reviews, and much more.
By sharing our experience, we aim to help the community identify and mitigate this highly exploitable attack vector that can remain undetected for years to prevent supply chain attacks before they happen.
OpenSSF Community Day India 2025 Sessionize Event
KubeCon + CloudNativeCon + Open Source Summit China 2023 Sessionize Event

Vipul Gupta
Senior Software Engineer, balena | GitHub Star
Actions
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top