Archive

Almost exactly one year after the tj-actions/changed-files compromise, history repeats. Twenty days after the February Pwn Request on Trivy that we covered in our previous report, the attacker regained access to the Aqua Security org (through a vector still under investigation) and weaponized the aqua-bot service account. On March 19, 2026, poisoned v0.69.4 releases of Trivy were pushed through GitHub Releases, Docker registries, and 75 of 76 tags on the trivy-action GitHub Action. This is an early publication in the interest of community threat hunting; our investigation is ongoing.

Between February 27–28, 2026, the GitHub user 'hackerbot-claw' launched an automated Pwn Request campaign targeting eight high-profile repositories using the AI agent 'openclaw.' Our Package Threat Hunter caught the attack in progress. Further investigation revealed 'MegaGame10418'—a throwaway account that predated the campaign by a month—used to test the same injection techniques against a vulnerable NewRelic test repository.

We're releasing bagel, an open-source CLI that inventories security-relevant metadata on developer workstations. Credentials, misconfigs, and exposed secrets. It's cross-platform, privacy-first, and designed to help security teams understand the attack surface that modern supply chain adversaries are actively exploiting. Stay tuned for more exciting news about how Boost works to secure every part of the modern software factory (developer endpoints included).

2025 didn't give us a new, magical Supply Chain vuln class; instead it gave us attackers who finally started reading our manuals. From Ultralytics' pull_request_target 0-day through Kong, tj-actions, GhostAction, Nx, GlassWorm and both Shai-Hulud waves, the common pattern wasn't typosquats but Pipeline Parasitism: living off CI/CD, maintainer accounts and developer endpoints using the same tools and patterns we published to defend them. The vuln mechanics stayed boring: shell injections and over-privileged tokens. But they were operationalized with worms, invisible Unicode payloads, blockchain C2, and even wiper failsafes. Thankfully, platforms are finally improving, yet "pwn request" is here to stay; the only sustainable answer is to treat pipelines as production systems and publish future research assuming adversaries are our most diligent readers!

Malicious code caching, dangling commits, pseudo-versions stealthily pointing to backdoors... Go makes you just as vulnerable as other ecosystems to social engineering attacks, and can even help malicious actors cover their tracks. Go enables new manipulation techniques to subtly trick users into downloading malicious packages. In this article, we describe various attack vectors in the Go ecosystem, from social engineering to well-known attacks such as repojacking, domain hijacking, and dependency confusion. Go's ecosystem guarantees integrity, not trust.

A routine disclosure unraveled a class of Bot-Delegated Time-Of-Check to Time-Of-Use race conditions where helpful automation bots (often GitHub Apps) may sometimes promote untrusted code changes from a fork to a victim repo, enabling the insertion of a "side-door" malicious workflow.

Your trusty Dependabot (and other GitHub bots) might be an unwitting accomplice. Through "Confused Deputy" attacks, they can be tricked into merging malicious code. This doesn’t stop here. It can escalate to full command injection via crafted branch names and even bypass branch protection rules. Plus, we disclose two new TTPs to build upon previously known techniques.

CI/CD remains a stealthy and soft target for supply chain attacks, especially via linters, formatters, build and test tools. This guide breaks down Living Off the Pipeline (LOTP) techniques, where attackers exploit CI tools already present and without modifying the workflow itself, using config files, plugins, and environment variables instead.

We've been quiet lately (despite recent Supply Chain drama) because we wanted a clearer picture before chiming in. Attacks on popular GitHub Actions (tj-actions/changed-files and reviewdog/action-setup) have shocked us, but not surprised us. They simply proved the point we had warned about. Alarmingly, reviewdog automatically promoted “typo-fixers” to maintainers overnight. Combine that with GitHub's audit logging gaps (attackers can update releases leaving no trace) and we've got a real mess. It’s time we reassess our threat models and demand better visibility.

Our deep dive into open source projects’ CI/CD systems has revealed that build pipelines can be just as vulnerable as any other link in the software supply chain. We found hundreds of zero days on open source projects’ build pipelines with our detection at scale and responsibly disclosed them. Jump to the Research at Scale section to learn more.

Boost Security is thrilled to announce ‘poutine’ – an Open Source security scanner CLI you can use to detect misconfigurations and vulnerabilities in Build Pipelines. Additionally, it can create an inventory of build-time dependencies so you can track known vulnerabilities (CVEs) as well. Today, the tool has about a dozen rules covering vulnerabilities found in GitHub Actions workflows and Gitlab pipelines. We have plans to add support for CircleCI, Azure Pipelines and more. The source code is published under the Apache 2.0 license and it is available on GitHub.

Granting repository Write access in an Open Source project is a high-stakes decision. We delve into the risks of insider threats, using a responsible disclosure for the AWS Karpenter project to demonstrate why strict safeguards are essential.

We disclosed to Chainguard in December 2023 that one of their GitHub Actions workflows was vulnerable to pwn request, potentially impacting the integrity of Docker images signed by their cosign Terraform Provider. Fortunately, this ended up being a near-miss incident.

Data poisoning is a serious threat to the supply chain of generative AI solutions. The major ramification of not validating the integrity of data sources is a loss of trust. Traditional defenses like hardened pipelines and least privilege access still apply.

Our exploration of the Terraform Registry revealed a critical vulnerability: unlike providers, modules lack cryptographic guarantees from the Dependency Lock File, making them susceptible to supply chain attacks via pwn requests.

An in-depth analysis of Source Control Management (SCM) attack vectors and mitigations using the SLSA model, covering insider threats, account compromise, and Branch Protection configurations for GitHub Enterprise Cloud.

A comprehensive analysis of Build/CI environment attack vectors using the SLSA model, covering GitHub Actions exploitation techniques including pwn requests, cache poisoning, self-hosted runner compromise, and secrets exfiltration.