Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets

A new supply chain attack targeting Trivy has compromised 75 out of 76 version tags in the aquasecurity/trivy-action GitHub repository. The attacker force-pushed these tags to serve malicious payloads, effectively turning trusted version references into a distribution mechanism for an infostealer. The malicious code executes within GitHub Actions runners, targeting sensitive data in CI/CD environments. It harvests secrets from runner process memory and the filesystem, encrypts the collected data, and exfiltrates it to an attacker-controlled endpoint or a fallback GitHub-based channel. The attack's scope is significant, potentially affecting over 10,000 workflow files on GitHub referencing this action.

Pulse ID: 69bd18a7cc27dfdfaf6f56a4
Pulse Link: https://otx.alienvault.com/pulse/69bd18a7cc27dfdfaf6f56a4
Pulse Author: AlienVault
Created: 2026-03-20 09:51:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ASEC #CyberSecurity #Endpoint #GitHub #InfoSec #InfoStealer #OTX #OpenThreatExchange #RAT #RCE #Rust #SupplyChain #Troll #bot #AlienVault

Killed my first troll! (this run)

#Valheim #Troll

RE: https://mastodon.social/@timpritlove/116246267755261116

Genial!

#habeck #söder #troll

Storm-2561 uses SEO poisoning to distribute fake VPN clients for credential theft

A credential theft campaign by Storm-2561 exploits SEO poisoning to distribute fake VPN clients. Users searching for legitimate VPN software are redirected to malicious websites hosting ZIP files containing trojans masquerading as trusted VPN clients. These digitally signed trojans harvest VPN credentials and exfiltrate data to attacker-controlled infrastructure. The campaign uses GitHub repositories, legitimate code-signing certificates, and sophisticated post-theft redirection strategies to avoid detection. The attack chain involves initial access through SEO manipulation, execution of malicious MSI files, credential theft via fake VPN interfaces, and data exfiltration. Defensive recommendations include enabling cloud-delivered protection, using EDR in block mode, and enforcing multi-factor authentication.

Pulse ID: 69b7da9f7950cc3e720bfb13
Pulse Link: https://otx.alienvault.com/pulse/69b7da9f7950cc3e720bfb13
Pulse Author: AlienVault
Created: 2026-03-16 10:25:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #EDR #GitHub #InfoSec #OTX #OpenThreatExchange #RAT #Rust #SEOPoisoning #Trojan #Troll #VPN #ZIP #bot #AlienVault

Wide-scale, opportunistic SMS pumping attacks target customer sign-up pages

A widespread SMS pumping campaign has been identified, targeting customer sign-up pages. The attackers, designated as O-UNC-036, use disposable email infrastructure and proxy services to launch high-volume, automated attacks against public API endpoints. Their objective is to create numerous accounts and trigger SMS messages to actor-controlled phone numbers, generating significant financial costs for target organizations. The attack pattern involves reconnaissance, infrastructure setup, and high-volume requests using known high-cost phone country codes. The campaign has been active since at least March 2024, affecting multiple tenants and organizations. Recommended protective measures include implementing FIDO Authentication, blocking suspicious domains and ASNs, and enhancing monitoring and response capabilities.

Pulse ID: 69b4567b03ea40d6ffd8a0f7
Pulse Link: https://otx.alienvault.com/pulse/69b4567b03ea40d6ffd8a0f7
Pulse Author: AlienVault
Created: 2026-03-13 18:24:59

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #Endpoint #InfoSec #OTX #OpenThreatExchange #Proxy #RAT #SMS #Troll #bot #AlienVault