Security

Attackers compromised Trivy GitHub Actions by force-updating tags to deliver malware, exposing CI/CD secrets across affected pipelines.

Recent updates from the Trivy maintainers confirm that this attack was enabled by a compromised credential with write access to the repository. The incident is a continuation of the earlier March breach, during which credentials were exfiltrated from Trivy’s CI environment. Although secrets and tokens were rotated in response, the rotation process was not fully atomic, and the attacker may have retained access to newly issued credentials. This allowed the threat actor to perform authenticated operations, including force-updating tags, without needing to exploit GitHub itself. While the exact credential used in this phase has not been publicly specified, the root cause is now understood to be residual access from the earlier credential compromise.

trivy.dev:

[Trivy –] The All-in-One Security Scanner

Use Trivy to find vulnerabilities (CVE) & misconfigurations (IaC) across code repositories, binary artifacts, container images, and Kubernetes clusters.

Two versions of telnyx (4.87.1 and 4.87.2) published to PyPI on March 27, 2026 contain malicious code injected into telnyx/_client.py. The telnyx package averages over 1 million downloads per month (~30,000/day), making this a high-impact supply chain compromise. The payload downloads a second-stage binary hidden inside WAV audio files from a remote server, then either drops a persistent executable on Windows or harvests credentials on Linux/macOS. Stolen data is encrypted with AES-256-CBC and a hardcoded RSA-4096 public key before exfiltration. The RSA key and operational patterns are identical to the litellm PyPI compromise, attributing this attack to TeamPCP with high confidence.

No PyPI trusted publisher (OIDC) is configured. Trusted publishers bind PyPI uploads to a specific GitHub repository and workflow, making stolen tokens useless outside that context. Without this protection, anyone with the API token can upload any version from any machine.

The most likely scenario is that the PYPI_TOKEN was obtained through a prior credential harvesting operation.

cross-posted from: https://lemmy.dbzer0.com/post/65115248

Broken Function Level Authorization in Enterprise Campus Recruitment: A Case Study in BFLA and DPDP Compliance.

Recently, I audited the frontend architecture of Superset, a recruitment SaaS utilized by major Tech and Big Four firms and identified a critical exposure.

Here is the technical breakdown of the authorization failure:

1. Metadata Leakage The platform secures "unlisted" job links using UUIDv4s. However, rendering a public company registration page triggers a background API call for branding metadata. Despite developers using a silent=true parameter to hide this in the UI, basic network telemetry captures the request, exposing the Master Tenant UUID (companyCode).

2. The Lateral Pivot Using the leaked companyCode, I queried the public enumeration endpoint: /tnpsuite-core/public/companies/[companyCode]/job-profile-outlines

3. BFLA Bypass The API lacks token verification. It blindly trusts the companyCode and returns an unauthenticated JSON array containing hiring outlines for the 2025 and 2026 cycles.

The exposed JSON schema included:

• ctcMin, ctcMax, fixedPay (Proprietary compensation structures)

• publiclyVisible: false (Allowing a temporal bypass to view future vacancies)

• userType: COMPANY_USER including full names and emails of HR leads (A severe compliance violation under Section 8 of the DPDP Act).

Remediation & Next Steps: Complex URLs are not authorization boundaries. Security requires strict logic checks at the function level.

I have privately briefed our affected campus partners so they can initiate vendor-risk remediation. This public disclosure is heavily sanitized strictly to highlight the DPDP compliance gaps in HR tech architecture.

#CyberSecurity #AppSec #BFLA #RiskManagement #DPDP #ThreatIntel #OpenToWork

cc: Superset Data Security Council of India (DSCI) OWASP® Foundation ISACA

My nephew did this. Is he in legal trouble idk Indian law.?

https://www.linkedin.com/posts/activity-7436961550927785986-2xH8?rcm=ACoAAFf3VBUBTNIVHgRhuTOBvpuDcfEcxS2ztts

cross-posted from: https://lemmy.world/post/43868450

DOJ Press Release