Self-hosted GitHub Actions runners are becoming an appealing target for attackers. These runners provide organizations with control over their CI/CD workflows but also create a pathway for potential exploitation. The Shai-Hulud worm exemplifies this risk, using self-hosted runners as backdoors to maintain persistent access to compromised systems. By leveraging the automation environment of GitHub Actions, attackers can easily establish a foothold and execute arbitrary code, all while appearing to operate within trusted channels. The Shai-Hulud attack unfolds in four stages. First, the malware creates a public repository with a unique name and description, enabling the discussions feature for command-and-control communication. Next, it acquires a runner registration token via the GitHub API, granting the attacker direct access to register a workflow runner. The third stage involves the installation of the GitHub Actions runner binary in a hidden directory, configured to run as a root process, which allows the attacker to execute commands with elevated privileges. Finally, the malware uploads a vulnerable workflow to the repository that permits command injection, enabling further exploitation through user interactions in the discussions. Organizations must remain vigilant about the configuration and usage of self-hosted runners. The ease of setup, combined with the access they provide to internal resources, makes them attractive for attackers. Misconfigurations or overlooked security measures can lead to severe breaches. As the Shai-Hulud case demonstrates, attackers can exploit these systems effectively if teams do not implement stringent security protocols and monitoring strategies.