Trivy是Aqua Security维护的一款热门开源漏洞扫描器，在一个月内第二次遭到攻击，恶意软件窃取了敏感的CI/CD机密信息。 最新事件影响了GitHub Actions中的"aquasecurity/trivy-action"和"aquasecurity/setup-trivy"，这两个工具分别用于扫描Docker容器镜像漏洞和在GitHub Actions工作流中设置特定版本的扫描器。

攻击者已入侵广受欢迎的开源漏洞扫描工具Trivy，在官方版本及数千个CI/CD工作流使用的GitHub Actions中植入了凭证窃取恶意软件。若受影响项目和组织未立即轮换密钥，此次入侵可能引发连锁式供应链攻击。

两个版本的LiteLLM因遭受供应链攻击而被从Python包索引（PyPI）中移除。LiteLLM是一个开源接口，用于访问多个大语言模型。 具体来说，LiteLLM ...

Two more GitHub Actions workflows have become the latest to be compromised by credential-stealing malware by a threat actor ...

The Trivy vulnerability scanner was compromised in a supply-chain attack by threat actors known as TeamPCP, which distributed ...

Trivy attack force-pushed 75 tags via GitHub Actions, exposing CI/CD secrets, enabling data theft and persistence across ...

Automating and streamlining the software development lifecycle through continuous integration and continuous delivery (CI/CD) is a cornerstone of software development today. One of the easiest tools ...

Multiple high-profile open-source projects, including those from Google, Microsoft, AWS, and Red Hat, were found to leak GitHub authentication tokens through GitHub Actions artifacts in CI/CD ...

GitHub Actions is a platform built into GitHub that automates software building, testing, and deployment. GitHub, owned by Microsoft, is a hosting service for software development using Git, an open ...

With GitHub Actions, you can build a container app, deploy a web service, publish packages to registries, or automate welcoming new programmers to your open source ...