Securing the Software Supply Chain from Compromised Developer Tools
Reddit Community
Community Problem
Elevator Pitch
Developer tools, like Trivy's VSCode extension, are increasingly targeted, posing a significant risk to the software supply chain. A robust solution is needed to ensure the integrity of these critical components.
Full Description
https://github.com/aquasecurity/trivy/discussions/10265
Does this kind of thing scare this shit out of anyone else? Trivy is not some no-name project.
Apparently a GitHub PAT was compromised and a rogue Trivy VSCode extension was released. According to Trivy, the Trivy code itself wasn't changed/hacked, just the VSCode extension, but this could have been so much worse.
Get involved
Discussion
No comments yet. Be the first to share your thoughts.
From the Reddit thread(6 top comments)
- 40·Reddit commenter·1mo ago
Take a look at this. You really should be scared. https://www.ransomware.live/
permalink ↗ - 28·Reddit commenter·1mo ago·reply
I’d expect DevOps folks to be the least scared. It’s our job to mitigate this shit. I’m actually just disappointed in Trivy.
permalink ↗ - 12·Reddit commenter·1mo ago·reply
>Supply chain attacks on security tools are the worst kind of irony. \*laughs in crowdstrike et al and patching agents all installed with god rights and built-in C&C\*
permalink ↗ - 11·Reddit commenter·1mo ago·reply
https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation Was posted a couple of days ago but goes into more detail on the trivy rep, and others
permalink ↗ - 8·Reddit commenter·1mo ago
I'm curious to know where exactly was the vulnerability. It's said to be a "pwn request" attack on `pull_request_target`, which I understand the logic, but that needs some code executed within the github workflow, which I can't see there: https://github.com/aquasecurity/trivy/pull/10259/changes The action had those comments: > # SECURITY: Using pull_request_target to support fork PRs with write permissions. > # PR code is checked out but only for static analysis - it is never executed. So they were well aware of the risk, but they thought it was ok. Did the attack leverage somet…
permalink ↗ - 6·Reddit commenter·1mo ago
If you want to get scared then read [https://david-gilbertson.medium.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5](https://david-gilbertson.medium.com/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5) Regarding the trivy incident and the other compromised projects, this was mostly about misconfigurations with github actions. And frankly the pull\_request\_target thing is something new I learned myself and I actually question its integrity.
permalink ↗