How Systems Inherit Trust Without Revalidating It

Cisco’s CI/CD pipeline executed 300 repository clone operations and transmitted AWS credential material to an external endpoint. No security alert fired. No policy was violated. All activity originated from authenticated build contexts. All network requests used established routes. The pipeline completed its stated function — scanning dependencies, building artifacts, producing signed outputs — while exfiltrating secrets across the full repository scope. The system recorded normal completion.

---

The infrastructure assumed that trust established at component intake would remain valid across all subsequent execution contexts. A component admitted through signing verification and registry provenance checks was considered trustworthy not only at ingestion but throughout its operational lifetime — across pipeline stages, into artifact production, and across all future build cycles. The model further assumed that execution environments were isolated by construction, that credential scope was bounded to the build context that required it, and that runtime behavior of a trusted component would remain consistent with its behavior at the point of validation. No mechanism existed to revisit these assumptions once they were established.

---

Trivy — an open-source vulnerability scanner integrated into Cisco’s build pipeline — was updated to a version containing subverted logic. The update arrived with a valid signature from an unchanged registry endpoint. The system registered no change in trust status. The criteria used to establish trust — origin, signature, registry provenance — were all satisfied, because they were unchanged. The behavioral contract of the component had been altered. The system had no record of what that contract was, and therefore no mechanism to detect that it had changed. Trust was not re-evaluated because the system had delegated trust to a state, not to a behavior.

---

The altered Trivy logic executed within the same security context as legitimate scanning operations. AWS credential material — long-lived IAM access keys present as environment variables in the build context — was accessible to the scanner because the scanner required credential access to perform its legitimate function. The modified component harvested those credentials and initiated clone operations against 300 repositories. No new identity was introduced. No new execution path was opened. ShinyHunters operated entirely within the established trust boundary, using the component’s existing permissions against targets the system had never considered inspecting. The exfiltration was structurally identical to legitimate artifact processing. The system evaluated provenance. It did not evaluate behavior. These are not the same question.

---

This is the attack surface created by every CI/CD pipeline that updates dependencies without re-evaluating trust: the interval between validation and execution, which spans every build cycle indefinitely. The initial validation occurs once, at component admission. After that, the component executes with inherited trust regardless of changes to its internal logic. The attack surface is not the validation event — it is the assumption that the validation event has permanent validity. In dependency management, this interval can span months. Credentials stored in build environments during that interval are accessible to every component admitted into that context, for the lifetime of those credentials.

---

The system’s security model evaluated a state that no longer existed. At intake, Trivy’s signature was valid, its provenance was intact, and its behavior was unspecified — because the system had never recorded what legitimate behavior looked like. All prior builds completed without incident. The system had no mechanism to distinguish the compromised build from those prior builds, because it had never inspected behavior in any of them. The AWS credentials exfiltrated across 300 repositories were accessible because the pipeline required them, the component could reach them, and the security architecture contained no requirement to ask whether it should.

Trust was delegated once. It was never retrieved.