Ci-Cd

• Malicious Trivy Images on Docker Hub: Why Tag Pinning Isn't Enough March 23, 2026

  Trivy versions 0.69.4 through 0.69.6 were compromised on Docker Hub as part of the ongoing TeamPCP supply chain attack against Aqua Security. The incident is a concrete demonstration of why mutable Docker tags are a structural trust problem in CI/CD pipelines.

• The GitHub Actions Trap That Let a Bot Steal Trivy's Release Keys March 23, 2026

  On February 28, 2026, an autonomous bot called hackerbot-claw exploited a pull_request_target misconfiguration in Aqua Security's Trivy repository, stole an org-scoped PAT, and deleted 178 releases. The vulnerability is not obscure -- it is in thousands of public repos right now.