Supply chain security research, vulnerability disclosures, and open source tools by Boost Securityhttps://labs.boostsecurity.io/https://labs.boostsecurity.io/articles/introducing-smokedmeat/https://labs.boostsecurity.io/articles/introducing-smokedmeat/In March 2026, TeamPCP unleashed mayhem on the software supply chain: compromising Trivy, LiteLLM, KICS, Telnyx, and dozens of npm packages, proving that CI/CD pipelines are the softest target. Today we're open-sourcing SmokedMeat, the first red team framework for build pipelines (i.e. CI/CD), so defenders can finally see the full kill chain for themselves.Wed, 15 Apr 2026 00:00:00 GMTtoolssmokedmeatci-cdred-teamopen-sourcesupply-chainpoutineFrançois Proulxhttps://labs.boostsecurity.io/articles/deployment_poisoning/https://labs.boostsecurity.io/articles/deployment_poisoning/A newly discovered attack technique allowing attackers to inject commands and exfiltrate secrets by creating malicious deployments from fork pull requests. Exploits the trust assumption that deployments come from verified services like Vercel, affecting popular integrations including Argos CI and Checkly.Tue, 07 Apr 2026 00:00:00 GMTtechniquesgithub-actionspwn-requestsupply-chainci-cdpoutinecommand-injectionSébastien Gravelinehttps://labs.boostsecurity.io/articles/teampcp-litellm-supply-chain-compromise/https://labs.boostsecurity.io/articles/teampcp-litellm-supply-chain-compromise/TeamPCP published two malicious litellm versions to PyPI containing a .pth infostealer that runs on every Python startup. A compromised maintainer account was then used to silence the disclosure, deface repositories, and expose 70 private BerriAI repos in minutes. This is a Boost Security contribution to a broader community investigation: multiple teams worked this incident in parallel, each bringing their own angle. We focused on CI/CD forensics and GitHub account takeover evidence. The hunt continues.Tue, 24 Mar 2026 00:00:00 GMTthreat-intelsupply-chainpypigithubci-cdinfostealerFrançois Proulxhttps://labs.boostsecurity.io/articles/20-days-later-trivy-compromise-act-ii/https://labs.boostsecurity.io/articles/20-days-later-trivy-compromise-act-ii/Almost exactly one year after the tj-actions/changed-files compromise, history repeats. Twenty days after the February Pwn Request on Trivy that we covered in our previous report, the attacker regained access to the Aqua Security org (through a vector still under investigation) and weaponized the aqua-bot service account. On March 19, 2026, poisoned v0.69.4 releases of Trivy were pushed through GitHub Releases, Docker registries, and 75 of 76 tags on the trivy-action GitHub Action. This is an early publication in the interest of community threat hunting; our investigation is ongoing.Fri, 20 Mar 2026 00:00:00 GMTthreat-intelgithub-actionspwn-requestsupply-chainci-cdpoutinecommand-injectionFrançois Proulxhttps://labs.boostsecurity.io/articles/megagame10418-the-user-behind-hackerbot-claw/https://labs.boostsecurity.io/articles/megagame10418-the-user-behind-hackerbot-claw/Between February 27–28, 2026, the GitHub user 'hackerbot-claw' launched an automated Pwn Request campaign targeting eight high-profile repositories using the AI agent 'openclaw.' Our Package Threat Hunter caught the attack in progress. Further investigation revealed 'MegaGame10418'—a throwaway account that predated the campaign by a month—used to test the same injection techniques against a vulnerable NewRelic test repository.Mon, 02 Mar 2026 00:00:00 GMTthreat-intelgithub-actionspwn-requestsupply-chainci-cdpoutinecommand-injectionSébastien Gravelinehttps://labs.boostsecurity.io/articles/unveiling-bagel-why-your-developers-laptop-is-the-softest-target-in-your-supply-chain/https://labs.boostsecurity.io/articles/unveiling-bagel-why-your-developers-laptop-is-the-softest-target-in-your-supply-chain/We're releasing bagel, an open-source CLI that inventories security-relevant metadata on developer workstations. Credentials, misconfigs, and exposed secrets. It's cross-platform, privacy-first, and designed to help security teams understand the attack surface that modern supply chain adversaries are actively exploiting. Stay tuned for more exciting news about how Boost works to secure every part of the modern software factory (developer endpoints included). Wed, 11 Feb 2026 00:00:00 GMTtoolssupply-chainsecurityopen-sourcedeveloper-securityAlexis-Maurer Fortinhttps://labs.boostsecurity.io/articles/defensive-research-weaponized-the-2025-state-of-pipeline-security/https://labs.boostsecurity.io/articles/defensive-research-weaponized-the-2025-state-of-pipeline-security/2025 didn't give us a new, magical Supply Chain vuln class; instead it gave us attackers who finally started reading our manuals. From Ultralytics' pull_request_target 0-day through Kong, tj-actions, GhostAction, Nx, GlassWorm and both Shai-Hulud waves, the common pattern wasn't typosquats but Pipeline Parasitism: living off CI/CD, maintainer accounts and developer endpoints using the same tools and patterns we published to defend them. The vuln mechanics stayed boring: shell injections and over-privileged tokens. But they were operationalized with worms, invisible Unicode payloads, blockchain C2, and even wiper failsafes. Thankfully, platforms are finally improving, yet "pwn request" is here to stay; the only sustainable answer is to treat pipelines as production systems and publish future research assuming adversaries are our most diligent readers! Mon, 08 Dec 2025 00:00:00 GMTthreat-intelsupply-chainsecurityFrançois Proulxhttps://labs.boostsecurity.io/articles/dont-go-with-the-flaw/https://labs.boostsecurity.io/articles/dont-go-with-the-flaw/Malicious code caching, dangling commits, pseudo-versions stealthily pointing to backdoors... Go makes you just as vulnerable as other ecosystems to social engineering attacks, and can even help malicious actors cover their tracks. Go enables new manipulation techniques to subtly trick users into downloading malicious packages. In this article, we describe various attack vectors in the Go ecosystem, from social engineering to well-known attacks such as repojacking, domain hijacking, and dependency confusion. Go's ecosystem guarantees integrity, not trust.Wed, 03 Dec 2025 00:00:00 GMTresearchgolangpackage-securityrepojackingGarance de la Brossehttps://labs.boostsecurity.io/articles/split-second-side-doors-how-bot-delegated-toctou-breaks-the-cicd-threat-model/https://labs.boostsecurity.io/articles/split-second-side-doors-how-bot-delegated-toctou-breaks-the-cicd-threat-model/A routine disclosure unraveled a class of Bot-Delegated Time-Of-Check to Time-Of-Use race conditions where helpful automation bots (often GitHub Apps) may sometimes promote untrusted code changes from a fork to a victim repo, enabling the insertion of a "side-door" malicious workflow.Wed, 12 Nov 2025 00:00:00 GMTresearchsupply-chainsecurityFrançois Proulxhttps://labs.boostsecurity.io/articles/weaponizing-dependabot-pwn-request-at-its-finest/https://labs.boostsecurity.io/articles/weaponizing-dependabot-pwn-request-at-its-finest/Your trusty Dependabot (and other GitHub bots) might be an unwitting accomplice. Through "Confused Deputy" attacks, they can be tricked into merging malicious code. This doesn't stop here. It can escalate to full command injection via crafted branch names and even bypass branch protection rules. Plus, we disclose two new TTPs to build upon previously known techniques.Sun, 01 Jun 2025 00:00:00 GMTtechniquessupply-chainsecuritytechniquegithub-actionsSébastien Gravelinehttps://labs.boostsecurity.io/articles/exploiting-cicd-with-style-lotp-guide/https://labs.boostsecurity.io/articles/exploiting-cicd-with-style-lotp-guide/CI/CD remains a stealthy and soft target for supply chain attacks, especially via linters, formatters, build and test tools. This guide breaks down Living Off the Pipeline (LOTP) techniques, where attackers exploit CI tools already present and without modifying the workflow itself, using config files, plugins, and environment variables instead.Tue, 15 Apr 2025 00:00:00 GMTtechniquessupply-chainsecuritySébastien Gravelinehttps://labs.boostsecurity.io/articles/pandoras-box-to-nuclear-fishing-escalating-threats-in-build-pipeline-security/https://labs.boostsecurity.io/articles/pandoras-box-to-nuclear-fishing-escalating-threats-in-build-pipeline-security/We've been quiet lately (despite recent Supply Chain drama) because we wanted a clearer picture before chiming in. Attacks on popular GitHub Actions (tj-actions/changed-files and reviewdog/action-setup) have shocked us, but not surprised us. They simply proved the point we had warned about. Alarmingly, reviewdog automatically promoted “typo-fixers” to maintainers overnight. Combine that with GitHub's audit logging gaps (attackers can update releases leaving no trace) and we've got a real mess. It’s time we reassess our threat models and demand better visibility.Wed, 19 Mar 2025 00:00:00 GMTthreat-intelsupply-chainsecurityFrançois Proulxhttps://labs.boostsecurity.io/articles/under-the-radar-zero-days-in-open-source-build-pipelines/https://labs.boostsecurity.io/articles/under-the-radar-zero-days-in-open-source-build-pipelines/Our deep dive into open source projects’ CI/CD systems has revealed that build pipelines can be just as vulnerable as any other link in the software supply chain. We found hundreds of zero days on open source projects’ build pipelines with our detection at scale and responsibly disclosed them. Jump to the Research at Scale section to learn more.Tue, 25 Feb 2025 00:00:00 GMTresearchgithub-actionszero-dayci-cdAlexis-Maurer Fortinhttps://labs.boostsecurity.io/articles/unveiling-poutine-an-open-source-build-pipelines-security-scanner/https://labs.boostsecurity.io/articles/unveiling-poutine-an-open-source-build-pipelines-security-scanner/Boost Security is thrilled to announce ‘poutine’ – an Open Source security scanner CLI you can use to detect misconfigurations and vulnerabilities in Build Pipelines. Additionally, it can create an inventory of build-time dependencies so you can track known vulnerabilities (CVEs) as well. Today, the tool has about a dozen rules covering vulnerabilities found in GitHub Actions workflows and Gitlab pipelines. We have plans to add support for CircleCI, Azure Pipelines and more. The source code is published under the Apache 2.0 license and it is available on GitHub.Sun, 14 Apr 2024 00:00:00 GMTtoolspoutinesastopen-sourceFrançois Proulxhttps://labs.boostsecurity.io/articles/opening-pandora-box-supply-chain-insider-threats-in-oss-projects/https://labs.boostsecurity.io/articles/opening-pandora-box-supply-chain-insider-threats-in-oss-projects/Granting repository Write access in an Open Source project is a high-stakes decision. We delve into the risks of insider threats, using a responsible disclosure for the AWS Karpenter project to demonstrate why strict safeguards are essential.Thu, 14 Mar 2024 00:00:00 GMTresearchsupply-chainsecurityFrançois Proulxhttps://labs.boostsecurity.io/articles/the-tale-of-a-supply-chain-near-miss-incident/https://labs.boostsecurity.io/articles/the-tale-of-a-supply-chain-near-miss-incident/We disclosed to Chainguard in December 2023 that one of their GitHub Actions workflows was vulnerable to pwn request, potentially impacting the integrity of Docker images signed by their cosign Terraform Provider. Fortunately, this ended up being a near-miss incident.Wed, 21 Feb 2024 00:00:00 GMTresearchsupply-chainsecurityFrançois Proulxhttps://labs.boostsecurity.io/articles/do-we-need-new-antidotes-to-protect-against-the-poisoning-the-supply-chain-of-generative-ai/https://labs.boostsecurity.io/articles/do-we-need-new-antidotes-to-protect-against-the-poisoning-the-supply-chain-of-generative-ai/Data poisoning is a serious threat to the supply chain of generative AI solutions. The major ramification of not validating the integrity of data sources is a loss of trust. Traditional defenses like hardened pipelines and least privilege access still apply.Fri, 01 Sep 2023 00:00:00 GMTresearchsupply-chainsecurityChasen Bettingerhttps://labs.boostsecurity.io/articles/erosion-of-trust-unmasking-supply-chain-vulnerabilities-in-the-terraform-registry/https://labs.boostsecurity.io/articles/erosion-of-trust-unmasking-supply-chain-vulnerabilities-in-the-terraform-registry/Our exploration of the Terraform Registry revealed a critical vulnerability: unlike providers, modules lack cryptographic guarantees from the Dependency Lock File, making them susceptible to supply chain attacks via pwn requests.Thu, 22 Jun 2023 00:00:00 GMTresearchsupply-chainsecurityFrançois Proulxhttps://labs.boostsecurity.io/articles/slsa-dip-at-the-source-of-the-problem/https://labs.boostsecurity.io/articles/slsa-dip-at-the-source-of-the-problem/An in-depth analysis of Source Control Management (SCM) attack vectors and mitigations using the SLSA model, covering insider threats, account compromise, and Branch Protection configurations for GitHub Enterprise Cloud.Fri, 18 Nov 2022 00:00:00 GMTresearchslsasource-controlgithubFrançois Proulxhttps://labs.boostsecurity.io/articles/slsa-dip-its-build-time/https://labs.boostsecurity.io/articles/slsa-dip-its-build-time/A comprehensive analysis of Build/CI environment attack vectors using the SLSA model, covering GitHub Actions exploitation techniques including pwn requests, cache poisoning, self-hosted runner compromise, and secrets exfiltration.Fri, 18 Nov 2022 00:00:00 GMTresearchslsagithub-actionsci-cdFrançois Proulx