sysdig.com
How threat actors are using self-hosted GitHub Actions runners as backdoors
Self-hosted GitHub Actions runners can be weaponized into persistent backdoors that communicate entirely over trusted channels. Because all traffic flows to github.com, traditional network defenses are largely blind to the threat.