Devops

• The GitHub Actions Trap That Let a Bot Steal Trivy's Release Keys March 23, 2026

  On February 28, 2026, an autonomous bot called hackerbot-claw exploited a pull_request_target misconfiguration in Aqua Security's Trivy repository, stole an org-scoped PAT, and deleted 178 releases. The vulnerability is not obscure -- it is in thousands of public repos right now.

• NixOS Is the Right Infrastructure for AI Agents March 23, 2026

  AI agent environments are uniquely brittle in ways that traditional software is not. NixOS, with its declarative model, atomic rollbacks, and immutable base layer, addresses the specific failure modes that make agent infrastructure hard to operate at scale.

• Trivy Supply Chain Attack Escalates: CanisterWorm Self-Spreads to 47 npm Packages March 21, 2026

  The TeamPCP supply chain attack on Trivy's GitHub Actions has escalated: stolen npm tokens are now fuelling CanisterWorm, a self-propagating worm that has already compromised 47+ npm packages using a decentralised ICP canister as C2.