Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New This Week
The Trivy supply chain attack is the story of the week. Between March 19-21, the official Trivy GitHub Actions repository was compromised by a threat actor tracked as TeamPCP. Every project that ran the scanner during that window should treat any CI/CD secrets present in those environments as potentially compromised. The downstream impact has expanded: attackers leveraged stolen npm publish tokens to propagate CanisterWorm, a self-spreading worm, across 47 npm packages. If Trivy ran in your pipeline during that window, rotate everything. Wiz Research has the primary writeup.
Changelog
| Date | Summary |
|---|---|
| 23 Mar 2026 | Initial publication. |
Supply Chain: The Structural Problem
The Trivy incident fits a pattern building since XZ Utils in 2024: the security tooling itself is an attack surface, and that tooling sits in CI/CD pipelines with access to production secrets.
The XZ Utils backdoor was sophisticated and almost undetected – a multi-year social engineering operation targeting an open-source maintainer. Most supply chain attacks are not that patient. The Trivy compromise used a more direct approach: compromise the official repository, inject malicious Actions steps, harvest credentials from every project running the scanner. Fast, broad, and effective.
CanisterWorm represents an escalation in technique. By using a decentralised server (reportedly an ICP canister, hence the name) as its command and control, it avoids the usual takedown path. Traditional npm package poisoning attacks die when the malicious package is removed. A self-propagating worm with a decentralised C2 is harder to clean up.
The broader npm poisoning pattern hasn’t changed: typosquatting, dependency confusion, maintainer account compromise. What has changed is the blast radius. In 2026, a compromised package reaches more environments faster, because more teams are running automated dependency updates and AI-assisted code generation that pulls packages without deep review.
What to do now:
- If Trivy ran in your pipeline between March 19-21, rotate all secrets present in those environments
- Review your CI/CD pipeline for third-party Actions – pin to commit hashes, not version tags
- Audit your npm dependency tree for any packages updated in the past week from the affected list (Wiz has the full list)
AI and Agentic Security
The threat surface expands when your code is running agents. Three categories worth tracking:
Prompt injection: An agent that can read external content – emails, web pages, documents – can be instructed by that content to take actions the user didn’t intend. The attack surface is every data source the agent touches. This is not theoretical; it’s the most common agentic attack vector in production systems today. The defence is strict output parsing, sandboxed tool execution, and treating all external content as untrusted.
Sandbox escapes: Cloud-managed agent sandboxes have vulnerabilities. The Bedrock AgentCore DNS bypass (CVSS 7.5) documented at russellclare.com/ai-agent-sandbox-dns-bypass/ is a clean example: a DNS rebinding technique allowing agents to reach internal AWS metadata endpoints from within what should be an isolated execution environment. The fix is deployed, but the pattern will recur.
Agent blast radius: How much damage can an agent do if it behaves unexpectedly or is manipulated? The answer is usually more than you’d expect. Agents that have write access to production systems, can send communications, or can modify their own configuration are particularly high risk. The mitigation isn’t to avoid giving agents tools – it’s to be precise about scope and reversibility. Full writeup at russellclare.com/ai-agent-security-blast-radius/.
CVEs Worth Knowing
CVE-2026-20963 – SharePoint RCE (Active Exploitation)
Microsoft patched this insecure deserialization vulnerability in SharePoint Server in the January 13, 2026 security update (KB5002825). CISA added it to the Known Exploited Vulnerabilities catalog this week, confirming active exploitation in the wild.
If you are running SharePoint Server 2019 and have not applied the January cumulative update, apply it now. The vulnerability allows remote code execution under specific conditions via untrusted input deserialization – the classic pattern that tends to be reliably exploitable once a working proof of concept circulates.
SharePoint on-premises installations are common in enterprise environments that haven’t migrated to SharePoint Online. If you have any, check patch status today.
Identity and Authentication
Slack, Teams, and Zoom as phishing surfaces: Microsoft Defender Experts documented multiple phishing campaigns in February 2026 targeting workplace applications. The attack pattern uses signed malware delivered via Zoom and Teams to install remote management backdoors. The signing matters: it bypasses endpoint controls that flag unsigned executables. Users see what looks like a legitimate installer dialog. Defend by restricting which applications can install RMM tools and reviewing endpoint telemetry for unexpected remote management software.
MFA fatigue remains a live attack vector. The technique is simple: flood a user with push notification approval requests until they approve one to make it stop. The defence is moving away from push-notification MFA toward FIDO2 hardware keys or passkeys, which are not susceptible to fatigue attacks because the user’s device does the cryptographic handshake – there’s no “approve this request” dialog to manipulate.
TOTP (authenticator app codes) is a meaningful step up from SMS, but push notifications are the weak link in most enterprise MFA deployments. Review what your users are actually authenticating with.
Responsible Disclosure: What Happens When It Gets Ignored
The Khan/Cline incident is worth understanding as a case study. A researcher reported a vulnerability affecting the Cline AI coding extension through private disclosure channels. The disclosure was ignored for an extended period. The researcher eventually went public. The story matters not because the vulnerability was uniquely severe, but because it illustrates a failure mode in how AI tooling vendors handle security research.
The pattern: a new category of AI tools emerges, companies move fast, security research culture around those tools is underdeveloped, and researchers find that the usual disclosure norms don’t apply cleanly. Vendors may not have a security email address, a HackerOne programme, or anyone who picks up security@ reliably.
If you’re shipping AI tooling, set up responsible disclosure infrastructure before you need it. A security.txt file, a monitored email address, and a 90-day response commitment is the minimum. Researchers will find things. How you handle the first report sets the tone.
Security Hygiene: What Engineering Teams Should Actually Do
Quarterly:
- Rotate long-lived secrets and service account credentials
- Review IAM permissions – remove anything that hasn’t been used in 90 days
- Audit third-party Actions and CI/CD integrations – pin to commit hashes
- Check the CISA KEV list for anything in your stack
- Test your incident response runbook – does everyone know what to do when something gets hit?
Annually:
- Penetration test – external, not just automated scanning
- Review your blast radius: if credential X were compromised, what would an attacker have access to?
- Check dependency licenses and update major versions
- Tabletop exercise for a supply chain compromise scenario
- Review MFA methods in use – move push-notification MFA to FIDO2 where possible