Docker BlogApr 8

Reclaim Developer Hours through Smarter Vulnerability Prioritization with Docker and Mend.io
#Docker #Partnerships #Products #DockerHardenedImages #Softwaresupplychainsecurity #VEX

https://www.docker.com/blog/reclaim-developer-hours-through-smarter-vulnerability-prioritization-with-docker-and-mend-io/

Reclaim Developer Hours through Smarter Vulnerability Prioritization with Docker and Mend.io | Docker

Learn from Docker experts to simplify and advance your app development and management with Docker. Stay up to date on Docker events and new version

Docker
Sam Stepanyan  ๐Ÿ˜Mar 31
โš ๏ธ#Axios #npm package which is very widely used (83M weekly downloads) was compromised, turning installs into #malware ๐Ÿ˜จ
This supply chain attack has a large-scale impact: many JavaScript apps nowadays uses Axios:
#SoftwareSupplyChainSecurity
๐Ÿ‘‡
https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html
Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account

Axios 1.14.1 and 0.30.4 injected malicious [email protected] after npm compromise on March 31, 2026, deploying cross-platform RAT malware.

The Hacker News
Sam Stepanyan  ๐Ÿ˜Mar 27

#GitHub: How to catch GitHub Actions workflow injections before attackers do:
#SoftwareSupplyChainSecurity

https://github.blog/security/vulnerability-research/how-to-catch-github-actions-workflow-injections-before-attackers-do/

How to catch GitHub Actions workflow injections before attackers do

Strengthen your repositories against actions workflow injections โ€” one of the most common vulnerabilities.

The GitHub Blog
Sam Stepanyan  ๐Ÿ˜Mar 24

#LiteLLM Compromised! LiteLLM - a popular Python Library used by a lot of AI tooling got compromised on PyPI, and the malicious versions are stealing everything they can find on your machine:

#SoftwareSupplyChainSecurity

๐Ÿ‘‡
https://www.xda-developers.com/popular-python-library-backdoor-machine/

A popular Python library just became a backdoor to your entire machine

Supply chain attacks feel like they're becoming more and more common.

XDA
Sam Stepanyan  ๐Ÿ˜Mar 24

#Checkmarx GitHub Actions and Open VSX extensions hacked and replaced with malware by the same TeamPCP who hacked Trivy last week.

#SoftwareSupplyChainSecurity
๐Ÿ‘‡
https://thehackernews.com/2026/03/teampcp-hacks-checkmarx-github-actions.html

TeamPCP Hacks Checkmarx GitHub Actions Using Stolen CI Credentials

TeamPCP compromised 2 GitHub Actions post-March 19, 2026 breach, enabling credential theft and supply chain attacks.

The Hacker News
Sam Stepanyan  ๐Ÿ˜Mar 21

#Trivy, a popular open-source vulnerability scanner, was compromised - attackers hijacked 75 version tags in #GitHub Actions to deliver an infostealer.

It ran in CI pipelines, stealing creds and tokens, exfiltrating data:
#SoftwareSupplyChainSecurity
๐Ÿ‘‡
https://thehackernews.com/2026/03/trivy-security-scanner-github-actions.html

Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets

Trivy attack force-pushed 75 tags via GitHub Actions, exposing CI/CD secrets, enabling data theft and persistence across developer systems.

The Hacker News
Sam Stepanyan  ๐Ÿ˜Mar 9
#NPM: A malicious npm package '@openclaw-ai/openclawai' is spreading a full RAT #malware disguised as an #OpenClaw installer. It steals browser data, macOS Keychain entries, crypto wallets, MacOS and cloud credentials:
#SoftwareSupplyChainSecurity
๐Ÿ‘‡
https://thehackernews.com/2026/03/malicious-npm-package-posing-as.html
Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials

Malicious npm package '@openclaw-ai/openclawai' downloaded 178 times installs GhostLoader RAT, stealing credentials and crypto wallets.

The Hacker News
Docker BlogMar 3

Announcing Docker Hardened System Packages
#Products #Security #Docker #DockerHardenedImages #Security #Securitypackages #Softwaresupplychainsecurity

https://www.docker.com/blog/announcing-docker-hardened-system-packages/

Docker Hardened System Packages

Secure your container stack from the base image down. Docker Hardened System Packages offer multi-distro, secure-by-default components with near-zero CVEs.

Docker
Sam Stepanyan  ๐Ÿ˜Mar 2
#trivy: The GitHub repo of Cloud Security and Supply Chain Security vendor Aqua Security (@aquasecteam) popular vulnerability scanner tool 'trivy' was compromised yesterday via GitHub Actions:
#SoftwareSupplyChainSecurity
๐Ÿ‘‡
https://github.com/aquasecurity/trivy/discussions/10265
Trivy security incident 2026-03-01 ยท aquasecurity trivy ยท Discussion #10265

Trivy has been attacked today via GitHub Actions, along with other popular projects: https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation. We believe the vulnerability came f...

GitHub
Beth PariseauFeb 27

One last story for the week/month: Harness makes its #artifactregistry generally available beyond early preview customers, with a security twist that could challenge established players such as #jfrog

https://www.techtarget.com/searchsoftwarequality/news/366639489/Harness-Artifact-Registry-strengthens-supply-chain-governance #devsecops #appdev #softwaresupplychainsecurity

Harness Artifact Registry strengthens supply chain governance

Harness makes its artifact registry generally available beyond early preview customers, with a security twist that could challenge established players such as JFrog.

TechTarget