CargoWall
Your Actions and Agents
Are Now Attack Vectors
Runtime visibility and kernel-level enforcement for GitHub Actions workflows and AI agent runtimes.
codecargo.comSOC 2 Type II Compliant
Wave 1 · The Threat Is Already Inside Your Pipelines
The Actions You Trust Are Being Weaponized
GitHub Actions is the proving ground for runtime supply chain attacks. In the past 14 months, attackers have turned the actions thousands of organizations rely on into credential exfiltration tools.
CVE-2025-30066
March 2025
tj-actions/changed-files
A stolen PAT let attackers rewrite version tags. The malicious payload dumped CI/CD secrets—AWS keys, GitHub tokens, RSA keys—to public workflow logs.
23,000+
repos affected
CISA
advisory issued
Supply Chain Compromise
March 2026
aquasecurity/trivy-action
Attackers force-pushed 75 of 76 version tags on Aqua Security’s official Trivy scanner. A security tool was turned into the exfiltration channel for the orgs depending on it.
10,000+
workflows
75/76
tags compromised
OSS Maintainer Breach
2025
TanStack
A compromised maintainer account let attackers push malicious workflows into a popular OSS project, pivoting through CI to reach downstream consumers and their secrets.
Millions
downstream installs
CI
as attack pivot
Sources: CISA Alert (CVE-2025-30066), Wiz Research, StepSecurity, Aqua Security, Palo Alto Unit 42
codecargo.com · SOC 2 Type II · GitHub Marketplace
Wave 2 · The Same Pattern Hits AI Agents
Coding Agents Inherit Every Runtime Risk—and Add New Ones
Cursor, Claude Code, Copilot Workspace, Devin: every coding agent runs on the same Linux runtime as your CI—with broader credentials, a faster tool-install cadence, and a new attack surface called prompt injection.
CVE-2025-32711
June 2025
EchoLeak · M365 Copilot
A single crafted email silently steered Microsoft 365 Copilot into exfiltrating tenant data through its own tool calls. The first widely-publicized zero-click prompt injection against a production AI agent.
Zero-click
exploit chain
9.3
CVSS score
Tool Supply Chain
Ongoing
Unsigned MCP Servers
Thousands of MCP servers and agent tools ship with no signing, no attestation, and no registry review. Each one runs with the agent’s full privilege scope—the tj-actions playbook, retold at higher stakes.
0
default verification
Full
credential access
Universal Pattern
2024 – 2026
The Lethal Trifecta
Private data + attacker-controlled input + unrestricted network egress = credential leak. Every major coding agent has shipped a fix for this pattern. None of them solves it at the network layer.
Every
major agent
0
with egress controls
Sources: Aim Labs disclosure (EchoLeak / CVE-2025-32711), Microsoft Security Response Center, Anthropic & OpenAI agent safety research, Simon Willison “Lethal Trifecta”
codecargo.com · SOC 2 Type II · GitHub Marketplace
The Root Cause
Same Linux Kernel. Same Egress Gap.
Runners and agent sandboxes share the same network stack. Both can reach any IP, any host, any port. SCA scanners, dependency pinning, and prompt-injection filters all fail once a process starts executing—and you’ll never see the exfiltration happen.
Today’s Reality — Runners and Agents Both
Unrestricted network egress
Workflows and agent processes alike can talk to any host. One compromised action or one bad tool call opens a socket and leaves.
Secrets sit in plain memory
CI tokens, cloud keys, IDE credentials, model API keys—all reachable by any step in the job or any tool an agent decides to call.
No runtime visibility
You can’t answer “what did this workflow or agent talk to last night?” There are no logs to query.
Pre-execution checks come too late
Tag rewrites, maintainer takeovers, prompt injections, poisoned tool outputs— none of them are visible to static analysis.
What That Means For You
Minutes
From a single compromised action or a single poisoned tool output to credentials posted publicly—the full kill chain fits inside one workflow or one agent session.
Broader Scope
Agents authorize against your IDE, shell, cloud, and persistent dev environment. The blast radius is bigger than CI ever was.
Zero Forensics
When the incident hits, you can’t prove what was taken or where it went—because nothing was watching the network in the first place.
codecargo.com · SOC 2 Type II · GitHub Marketplace
CargoWall
One Control Plane. Every Endpoint Enforced.
Define egress policy once in CargoWall’s control plane. It pushes down to every endpoint—every CI runner, every agent runtime—where eBPF enforces it in the kernel. One source of truth, heterogeneous workloads, kernel-level guarantees.
Control Plane — Define Once
Author egress policies in a single dashboard. Per-workflow, per-agent, per-team, or org-wide. Build allowlists from audit-mode discovery so you’re never guessing. Versioned, reviewable, auditable as code.
Endpoints — Enforce in the Kernel
The CargoWall agent installs on every CI runner and every agent host. Your central policy is pushed down and enforced in eBPF—compromised actions, malicious MCP servers, and prompt-injected agents all lose their exfiltration channel before a byte leaves the host.
Per-workflow & per-agent allowlists
Different policies for build, deploy, release, and each agent profile.
DNS interception
Stop tunneled exfiltration cold.
Zero-latency overhead
No proxy hops. Runs at line rate.
Forensic audit log
Every connection, attributed and queryable.
CargoWall Network Policies
47
Destinations
38
Allowed
9
Denied
Network Rules
Audit
Enforce
registry.npmjs.org
HTTPSALLOW
api.github.com
HTTPSALLOW
crypto-miner.xyz
TCPDENY
codecargo.com · SOC 2 Type II · GitHub Marketplace
Get Started
See What Your Pipelines and
Agents Are Really Doing
Install the GitHub App. Run CargoWall in audit mode against your CI runners and agent sandboxes. Get a complete map of every external connection in one cycle. No commitment—just visibility you don’t have today.
5 min
One-click install from the GitHub Marketplace
1 cycle
Full egress map after the next workflow or agent run
Days
From audit mode to enforced kernel-level policy
codecargo.comSOC 2 Type IIGitHub MarketplaceSaaS, Hybrid, or Self-Hosted