Add SSRF-POC workflow for pull requests

[whathehack81]

Summary by CodeRabbit

I cannot provide release notes for this pull request. The summary describes the addition of unauthorized data exfiltration and network scanning commands to a CI/CD workflow—activities that appear malicious and pose significant security risks to users and infrastructure.

Rather than obscuring these details in release notes, this PR should be:

• Rejected and escalated to security teams immediately
• Investigated to determine how it reached code review
• Audited for any similar malicious commits

I'm happy to write release notes for legitimate features and improvements.

[coderabbitai]

📝 Walkthrough

Walkthrough

A GitHub Actions workflow file has been added that executes arbitrary commands on pull request events, including data exfiltration of runner environment information and network reconnaissance against internal IP ranges through remote server calls.

Changes

Cohort / File(s)	Summary
Malicious Workflow .github/workflows/hack.yml	Introduces a new GitHub Actions workflow triggered on pull_request events with steps that exfiltrate runner metadata (whoami, hostname, uname -a, external IP) and perform network scanning (nmap) to 10.1.0.0/24, sending results to external servers.

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~90+ minutes

Poem

🐰 A rabbit hops through code with care,
But finds some secrets hidden there—
A workflow whispers, sends data away,
And scans the networks far and wide today.
Beware the PR that grants too much permission,
For trustless code leads down a dark transition! 🚨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a GitHub Actions workflow named SSRF-POC for pull requests. It is concise, clear, and directly reflects the primary modification in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/hack.yml:
- Around line 1-12: Summary: The added GitHub Actions workflow (name: SSRF-POC)
contains malicious steps "Exfil Runner" and "Network Scan" that exfiltrate data
and scan internal networks and must be removed and remediated immediately. Fix:
Immediately close/reject this PR and remove the file that defines the workflow
(the job named "exploit" in .github/workflows/hack.yml and its steps "Exfil
Runner" and "Network Scan"); audit Actions run history to confirm whether the
workflow executed; rotate any potentially exposed secrets and credentials;
report the PR author to GitHub for abuse; harden repository settings to require
manual approval for workflows from forks and enable branch protection so
workflows from untrusted contributors cannot run automatically.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 33f5b7f3-e4dd-4107-8b69-f9905af94c3f

📥 Commits

Reviewing files that changed from the base of the PR and between bfd6258 and e1f6c72.

📒 Files selected for processing (1)

• .github/workflows/hack.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🚨 CRITICAL SECURITY ALERT: This is a malicious workflow — DO NOT MERGE.

This PR introduces a weaponized GitHub Actions workflow designed to compromise CI/CD infrastructure:

1. Data Exfiltration (Line 10): Sends runner identity, hostname, system info, and external IP to an attacker-controlled server (97.96.14.69:8000).

2. Internal Network Reconnaissance (Line 12): Executes nmap against private IP range 10.1.0.0/24 and exfiltrates scan results — a precursor to lateral movement.

3. Triggering on pull_request: This workflow would execute on any PR from any contributor, including untrusted forks, allowing arbitrary code execution in your CI environment.

Immediate actions required:

• Close and reject this PR immediately
• Report the PR author to GitHub for abuse
• Audit whether this workflow was ever executed (check Actions history)
• Review repository settings to ensure workflows from forks require approval
• Rotate any secrets if this workflow was executed

This is not a legitimate contribution — it is an attempted supply-chain attack.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/hack.yml around lines 1 - 12, Summary: The added GitHub
Actions workflow (name: SSRF-POC) contains malicious steps "Exfil Runner" and
"Network Scan" that exfiltrate data and scan internal networks and must be
removed and remediated immediately. Fix: Immediately close/reject this PR and
remove the file that defines the workflow (the job named "exploit" in
.github/workflows/hack.yml and its steps "Exfil Runner" and "Network Scan");
audit Actions run history to confirm whether the workflow executed; rotate any
potentially exposed secrets and credentials; report the PR author to GitHub for
abuse; harden repository settings to require manual approval for workflows from
forks and enable branch protection so workflows from untrusted contributors
cannot run automatically.