Supply Chain Attack on Trivy
tiri
11 points
3 comments
March 22, 2026
Related Discussions
Found 5 related stories in 81.1ms across 8,303 title embeddings via pgvector HNSW
- How the Trivy supply chain attack harvested credentials from secrets managers Rial_Labs · 16 pts · April 09, 2026 · 80% similar
- European Commission cloud breach: a supply-chain compromise Sandman · 16 pts · April 04, 2026 · 63% similar
- Cisco source code stolen in Trivy-linked dev environment breach _____k · 22 pts · March 31, 2026 · 62% similar
- Supply-chain attack using invisible code hits GitHub and other repositories tannhaeuser · 14 pts · March 15, 2026 · 58% similar
- The Axios supply chain attack used individually targeted social engineering cmitsakis · 36 pts · April 03, 2026 · 57% similar
Discussion Highlights (1 comments)
wilkystyle
I have generally preferred to avoid using community-maintained actions as far as possible, instead installing and configuring the runners as though I would a normal machine. This started from a desire to avoid an unknown amount of bloat and untrusted code, but also because I'm pretty tired of getting Node deprecation warnings for installing/using something that has nothing to do with JavaScript at all. I've always installed a pinned version of Trivy of my choosing, and installed by curl | sh. Looks like curl | sh may have saved my skin, whereas even older versions of the github action were force-pushed to install the vulnerable binary.