Trivy是Aqua Security维护的一款热门开源漏洞扫描器，在一个月内第二次遭到攻击，恶意软件窃取了敏感的CI/CD机密信息。 最新事件影响了GitHub Actions中的"aquasecurity/trivy-action"和"aquasecurity/setup-trivy"，这两个工具分别用于扫描Docker容器镜像漏洞和在GitHub Actions工作流中设置特定版本的扫描器。

近期，一个自主运行的基于 AI 的机器人系统性地利用了主流开源代码库中的 GitHub Actions 工作流，在多个目标上实现远程代码执行并窃取具有写入权限的凭证。StepSecurity 联合创始人 Varun Sharma披露 了这些发生在 ...

但根据 Wiz 客户事件响应团队的最新研究，攻击者正在利用这种盲目信任。 他们发现威胁行为者正在使用暴露的GitHub个人访问Token（PATs）来访问GitHub Action Secrets，并潜入云环境，然后大肆破坏。 Beauceron Security的David Shipley表示："根本问题是这些密钥存在于代码库中。

ChatGPT and Codex flaws patched Feb 2026 exposed DNS exfiltration and GitHub tokens, raising enterprise AI security risks.

A cascading supply chain attack on GitHub that targeted Coinbase in March has now been traced back to a single token stolen from a SpotBugs workflow, which allowed a threat actor to compromise ...

Hackers can steal your GitHub tokens through OpenAI’s Codex using nothing more than a sneaky branch name ...

Command injection in Codex and a hidden outbound channel in ChatGPT exposed risks of credential theft and covert data ...

A mishandled GitHub token gave unrestricted access to Mercedes-Benz's internal GitHub Enterprise Service, exposing source code to the public. Mercedes-Benz is a prestigious German car, bus, and truck ...

Community driven content discussing all aspects of software development from DevOps to design patterns. If you ask me, GitHub’s removal of support for password authentication on August 13, 2021 was a ...