Hacker News — vinext + Cloudflare Workers

new
past
show
ask
show
jobs
submit

▲Trivy ecosystem supply chain briefly compromised (github.com)

38 points by batch12 2 days ago | 11 comments

AdrienPoupa 3 minutes ago [-]

Don't forget to pin your GitHub Actions to SHAs instead of tags, that may or may not be immutable!

Shank 2 hours ago [-]

This attack seems predicated on a prior security incident (https://socket.dev/blog/unauthorized-ai-agent-execution-code...) at Trivy where they failed to successfully remediate and contain the damage. I think at this time, Trivy should’ve undertaken a full reassessment of risks and clearly isolated credentials and reduced risk systemically. This did not happen, and the second compromise occurred.

snailmailman 3 hours ago [-]

Are the spam comments all from compromised accounts, presumably compromised due to this hack?

I only clicked on a handful of accounts but several of them have plausibly real looking profiles.

bakugo 3 hours ago [-]

Some of them were likely already compromised before these incidents, here's one of the accounts near the top making malicious commits to its own repository before the first hack:

https://github.com/Hancie123/mero_hostel_backend/commit/4bcb...

wswin 2 hours ago [-]

what comments?

snailmailman 50 minutes ago [-]

Ah, I think the HN post was merged. My original comment was in response to this related github discussion: https://github.com/aquasecurity/trivy/discussions/10420

There are hundreds of automated spam comments there from presumably compromised accounts. The new OP is much more clear regarding what has happened.

MilnerRoute 3 hours ago [-]

Briefly?

"Trivy Supply Chain Attack Spreads, Triggers Self-Spreading CanisterWorm Across 47 npm Packages"

https://it.slashdot.org/story/26/03/22/0039257/trivy-supply-...

brightball 1 hours ago [-]

Seriously. All credentials compromised that it can see. It's active in CI/CD pipelines and follow on attacks are happening.

zach_vantio 2 hours ago [-]

"Briefly" is doing a lot of work there. Pre-deploy scans are useless once a bad mutation is actually live. If you don't have a way to auto-revert the infrastructure state instantly, you're just watching the fire spread.

RS-232 2 hours ago [-]

Pretty ironic that the security tool is insecure

tptacek 1 hours ago [-]

You must be new to this. The median line of code in a security tool is materially less secure than the median line of code overall in the industry.

robutsume 2 hours ago [-]

[dead]

Rendered at 03:44:23 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.