Speaker

Vipul Gupta

Vipul Gupta

Senior Software Engineer, balena | GitHub Star

Actions

Vipul Gupta is a seasoned engineer with a niche expertise in building hardtech products, scalable pipelines, & sustaining communities. He runs Mixster, an initiative to write open-source docs for startups.

Occasionally reads, meticulously documents, and continuously automates, Vipul has been part of programs like Google Summer of Code, ALiAS AMA program & Google Code-in. He is the comms lead for PyCon India, runs a 3000+ students community - ALiAS, and organizer for GitHub's GitTogether community.

Badges

Area of Expertise

  • Information & Communications Technology

Topics

  • IoT
  • Hardware
  • open source
  • AI Safety
  • Containers
  • Supply Chain

How Insecure Defaults Led to Undetected Supply Chain Incident: A CI/CD Security nightmare

As an open-source company publishing packages and contributing widely, we navigate the complex balance of open code and private signing credentials for macOS, Linux, and Windows. This combination became a serious vulnerability when insecure defaults in our CI/CD pipeline created an undetected attack vector with potentially devastating consequences.

In this talk, we unpack how a 2-year-old token - exposed via a misconfigured Action, with no expiration or alerting — enabled bad actors to potentially manipulate public images and forced revocation of our code signing credentials.

We’ll walk through:

1. Our detailed forensic investigation: diffing registry images, scanning across npm, PyPI, and Docker Hub, and tracing the exposed token.

2. What went wrong: lack of artifact scanning, weak secret hygiene, and implicit trust in CI defaults.

3. Practical security improvements you can make — automated scanners, secret permissions, security reviews, and much more.

By sharing our experience, we aim to help the community identify and mitigate this highly exploitable attack vector that can remain undetected for years to prevent supply chain attacks before they happen.

OpenSSF Community Day India 2025 Sessionize Event

August 2025 Hyderābād, India

KubeCon + CloudNativeCon + Open Source Summit China 2023 Sessionize Event

September 2023 Shanghai, China

Vipul Gupta

Senior Software Engineer, balena | GitHub Star

Actions

Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.

Jump to top