Overview
Starting Monday, April 28 2025 at 16:00 UTC, StepSecurity’s Harden‑Runner began flagging unusual outbound network traffic to release-assets.githubusercontent.com from GitHub‑hosted runners in several independent customer repositories. Although the destination sits under the *.githubusercontent.com wildcard, it had never appeared in these workflows’ baselines and surfaced simultaneously across multiple organisations—strong indicators of a systemic change rather than a project‑level issue.
What is Harden‑Runner?
StepSecurity Harden‑Runner is a purpose-built runtime and network security agent for CI/CD. It offers a Community tier (free for open‑source projects) and an Enterprise tier with additional features.
- Baselines every job’s expected processes, file activity and egress destinations.
- Blocks or alerts on deviations in real‑time.
- Has a proven record of catching real supply‑chain attacks, including the tj‑actions/changed‑files compromise, Flank and the Azure Karpenter Provider.
What Harden‑Runner Saw
- Anomalous calls: It flagged anomalous network calls to release-assets.githubusercontent.com across several workflow runs belonging to multiple StepSecurity customers.
- Processes involved: legitimate build tools such as node, terraform, and go were making this network call.
- When it happened: during the package / dependency download phase of workflows.
- Why it mattered: the endpoint was new; any fresh subdomain—wildcard or not—can be abused. (In the tj‑actions incident, the malicious payload was served from gist.githubusercontent.com, another sub‑domain under the same wildcard.)
Investigation
Within minutes, StepSecurity engineers correlated the alerts across customers and hypothesised an upstream infrastructure change in GitHub Releases. To verify, we opened a ticket with GitHub Support.
GitHub’s Response (summary)
GitHub confirmed the domain is part of a recently enabled feature flag that serves release assets via release-assets.githubusercontent.com. The change is legitimate and permanent.
Exact support reply
Hi Team,
Thank you for reaching out to GitHub Support!
I checked in with our engineering teams about this.
That’s correct, we have recently turned on a feature flag that adds the address release-assets.githubusercontent.com for release assets.
This change comes a part of some internal service updates and is planned to be permanent.
The *.githubusercontent.com address is listed as a wildcard in the GitHub META API Endpoint and depending on the activity performed you may see connections to many different githubusercontent.com subdomains, with some of them being new from time to time.
I hope this information helps with the false positives. Please let me know if you have any other questions or concerns!
Resolution
- Baseline updated: Harden‑Runner now treats release-assets.githubusercontent.com as expected when workflows download release assets.
- Customer advisory: We published an in‑product notice so users who maintain strict egress allow‑lists can add the new domain.
Why Baseline Monitoring Matters
Even benign platform changes can break assumptions and, worse, be abused by attackers who register look‑alike endpoints. Harden‑Runner’s behavioural approach catches both:
- Real attacks – e.g. malicious code from gist.githubusercontent.com in the tj‑actions compromise.
- Legit changes – like this GitHub Releases migration—allowing rapid triage and minimal disruption.
Stay Protected with Harden-Runner
Boost the security of your GitHub Actions workflows with instant network visibility, strict egress controls, and built-in anomaly detection.
➡️ Get started in minutes – Add Harden‑Runner and lock down your CI/CD pipelines.
Easily integrate Harden‑Runner into your workflows automatically using Secure Workflow
.png)
