[gepeto42]

The last year has shown that this vector is getting weaponized for real so it's great to see more tools to help defenders!

Is this something only companies with public repos should be worried about?

[frothy-dashcam]

I absolutely second the OP. I used to be a penetration tester and whenever I had low level contributor access to an internal repository I managed to break out into the cloud and in 99% of cases I was an administrator after that. CI/CD is remote code execution as a service and way too often way too misconfigured. When I say low-level contributor access, I mean the level you give an intern who joins your company for a two-week summer internship. They come as an unpaid intern, they leave as an AWS administrator. Pretty good deal in my book ;) Thank you so much for creating the tool. This might drive the point home just how easy it is to exploit this stuff.

[flexorium]

Absolutely not. The same TTPs apply almost 1-to-1 for Insider Threat scenarios. We've built the Deciduous Attack Trees (shout out to Kelly) for insider threats last year. It overlaps. So either you start with Initial Access that's purely public and pivot deeper or you already have a modest foothold (like intern with read only access) and off to the races.