[zimbatm]

The attacker gained network access through Jenkins.

Don't deploy a public-facing Jenkins, especially if it has credentials attached to it. It's really hard to secure, especially if pull-requests can run arbitrary code on your agents.

Jenkins / CI is the sudo access to most organizations.

[bifrost]

I agree with you 100% here, I would not deploy any CI publicly unless its heavily fenced off into "read only" territory.