Yes, that first part was not. But the article continues like this:

- they use that credentials to make a commit adding malicious code to the CI pipeline

- The rouge pipeline job adds their public SSH key to the `.allowed_keys` file in the production server

As the pipeline is run automatically on push, they get ssh access to the remote server.

That is the "CI / CD Pipelines" bit. That being said, it's a bit underwhelming, because given the title I though they were going to exploit a bug in the CI/CD software itself. I don't know if I'd call that "exploiting" CI/CD software.

Because 1) the .git directory was deployed with the app code (the exploit vector), and 2) the deployment pipeline automatically integrated and pushed the attacker’s commit to a production system (completing the exploit), I’d say that claim is accurate. These are both defects in the thing the attacker claims to have exploited.

It sure wasn’t a good decision to use git-config to store creds for CI though! I wonder if OP found a developer’s old cached creds in the history that weren’t used anymore but happened to still be valid?