Compromised Code Signing and Build Infrastructure

Info

ID: AT-RD001
Tactic: Resource Development
Sub-techniques: Build Pipeline Manipulation, Build Script Tampering
Platforms: PRE

Compromised Code Signing and Build Infrastructure

Adversaries may infiltrate build pipelines or steal code signing keys to insert malicious elements into software releases undetected. By tampering with CI/CD configurations, intercepting build scripts, or subverting code signing certificates, attackers ensure their modified artifacts appear legitimate. This stealthy approach can evade downstream security tools, as the resulting binaries or packages originate from what appears to be a trusted source.

In cloud-native workflows, code signing and automated builds are critical for continuous deployment. An attacker who subverts these systems can systematically distribute backdoor updates or trojanized libraries to production environments. Organizations may discover the compromise only after extensive damage, given that each new build faithfully incorporates malicious code. As such, controlling the build infrastructure guarantees widespread distribution of adversary payloads.