Supply Chain Attack on Trivy
tiri
11 points
3 comments
March 22, 2026
Related Discussions
Found 5 related stories in 48.5ms across 3,471 title embeddings via pgvector HNSW
- Cisco source code stolen in Trivy-linked dev environment breach _____k · 22 pts · March 31, 2026 · 62% similar
- Supply-chain attack using invisible code hits GitHub and other repositories tannhaeuser · 14 pts · March 15, 2026 · 58% similar
- The Axios supply chain attack used individually targeted social engineering cmitsakis · 36 pts · April 03, 2026 · 57% similar
- Attempts to post the latest Trivy security incident have been marked [dead] JoshuaDavid · 80 pts · March 21, 2026 · 57% similar
- Active Supply Chain Attack on axios 1.14.1 lemax · 16 pts · March 31, 2026 · 56% similar
Discussion Highlights (1 comments)
wilkystyle
I have generally preferred to avoid using community-maintained actions as far as possible, instead installing and configuring the runners as though I would a normal machine. This started from a desire to avoid an unknown amount of bloat and untrusted code, but also because I'm pretty tired of getting Node deprecation warnings for installing/using something that has nothing to do with JavaScript at all. I've always installed a pinned version of Trivy of my choosing, and installed by curl | sh. Looks like curl | sh may have saved my skin, whereas even older versions of the github action were force-pushed to install the vulnerable binary.