the research arm of Boost Security
$ head featured.md
20 Days Later: Trivy Compromise, Act II
FEATURED threat-intel

20 Days Later: Trivy Compromise, Act II

TL;DR

Almost exactly one year after the tj-actions/changed-files compromise, history repeats. Twenty days after the February Pwn Request on Trivy that we covered in our previous report, the attacker regained access to the Aqua Security org (through a vector still under investigation) and weaponized the aqua-bot service account. On March 19, 2026, poisoned v0.69.4 releases of Trivy were pushed through GitHub Releases, Docker registries, and 75 of 76 tags on the trivy-action GitHub Action. This is an early publication in the interest of community threat hunting; our investigation is ongoing.

--author "François Proulx"
François Proulx
François Proulx VP of Security Research

François is the VP of Security Research at Boost Security and co-creator of the poutine Open Source CI/CD scanner. He co-founded the Living Off The Pipeline (LOTP) project to describe the abuse of build tools for lateral movement. After spending years teaching defenders how to secure their workflows, he is now demonstrating how attackers are dismantling them.

 | --date 2026-03-20 | --read-time 13 min
#github-actions#pwn-request#supply-chain#ci-cd#poutine#command-injection
$ ls articles/

Recent Articles

MegaGame10418: A Throwaway Account Linked to the Hackerbot-Claw Attack
threat-intel

MegaGame10418: A Throwaway Account Linked to the Hackerbot-Claw Attack

TL;DR

Between February 27–28, 2026, the GitHub user 'hackerbot-claw' launched an automated Pwn Request campaign targeting eight high-profile repositories using the AI agent 'openclaw.' Our Package Threat Hunter caught the attack in progress. Further investigation revealed 'MegaGame10418'—a throwaway account that predated the campaign by a month—used to test the same injection techniques against a vulnerable NewRelic test repository.

Sébastien Graveline
Sébastien Graveline
Sébastien Graveline Security Researcher

Sébastien brings Red Team expertise to the research team and is a major contributor to the Living Off The Pipeline (LOTP) project. An avid CTF player who has won several prestigious competitions, he specializes in offensive CI/CD exploitation techniques and turning theoretical attack patterns into practical demonstrations.
6 min 2026-03-02
Unveiling Bagel: Why Your Developer's Laptop is the Softest Target in Your Supply Chain
tools

Unveiling Bagel: Why Your Developer's Laptop is the Softest Target in Your Supply Chain

TL;DR

We're releasing bagel, an open-source CLI that inventories security-relevant metadata on developer workstations. Credentials, misconfigs, and exposed secrets. It's cross-platform, privacy-first, and designed to help security teams understand the attack surface that modern supply chain adversaries are actively exploiting. Stay tuned for more exciting news about how Boost works to secure every part of the modern software factory (developer endpoints included).

Alexis-Maurer Fortin
Alexis-Maurer Fortin
Alexis-Maurer Fortin Senior Product Security Engineer

Alexis-Maurer is a co-creator of poutine and the architect behind Boost Security's large-scale cloud scanning infrastructure. A prolific Go developer, he wrote the majority of the codebase powering the team's automated vulnerability discovery systems.
5 min 2026-02-11
Defensive Research, Weaponized: The 2025 State of Pipeline Security
threat-intel

Defensive Research, Weaponized: The 2025 State of Pipeline Security

TL;DR

2025 didn't give us a new, magical Supply Chain vuln class; instead it gave us attackers who finally started reading our manuals. From Ultralytics' pull_request_target 0-day through Kong, tj-actions, GhostAction, Nx, GlassWorm and both Shai-Hulud waves, the common pattern wasn't typosquats but Pipeline Parasitism: living off CI/CD, maintainer accounts and developer endpoints using the same tools and patterns we published to defend them. The vuln mechanics stayed boring: shell injections and over-privileged tokens. But they were operationalized with worms, invisible Unicode payloads, blockchain C2, and even wiper failsafes. Thankfully, platforms are finally improving, yet "pwn request" is here to stay; the only sustainable answer is to treat pipelines as production systems and publish future research assuming adversaries are our most diligent readers!

François Proulx
François Proulx
François Proulx VP of Security Research

François is the VP of Security Research at Boost Security and co-creator of the poutine Open Source CI/CD scanner. He co-founded the Living Off The Pipeline (LOTP) project to describe the abuse of build tools for lateral movement. After spending years teaching defenders how to secure their workflows, he is now demonstrating how attackers are dismantling them.
21 min 2025-12-08
Don't Go with the flaw
research

Don't Go with the flaw

TL;DR

Malicious code caching, dangling commits, pseudo-versions stealthily pointing to backdoors... Go makes you just as vulnerable as other ecosystems to social engineering attacks, and can even help malicious actors cover their tracks. Go enables new manipulation techniques to subtly trick users into downloading malicious packages. In this article, we describe various attack vectors in the Go ecosystem, from social engineering to well-known attacks such as repojacking, domain hijacking, and dependency confusion. Go's ecosystem guarantees integrity, not trust.

Garance de la Brosse
Garance De La Brosse
Garance De La Brosse ex-Junior Security Researcher

Garance completed her M. Eng thesis with the team, focusing on distribution threats to the Go ecosystem and package manager vulnerabilities.
22 min 2025-12-03
$ head articles/**/*.md | more
$ git clone github.com/messypoutine/gravy-overflow

MessyPoutine CTF

Learn pipeline exploitation hands-on. Pwn requests, LOTP techniques, confused deputies, and all the gravy.

Start hacking