Lance R. VickAI automated security review company that views human code review as unnecessary, gets hit by supply chain attack that their automation failed to detect. Beautiful.
How many more of these are required before we can seriously talk about Web of Trust, commit signing, and decentralized crowd-sourced FOSS code review?
TeamPCP expands: Supply chain compromise spreads from Trivy to Checkmarx GitHub Actions | Sysdig
The Sysdig Threat Reseaarch Team (TRT) reveals how TeamPCP’s supply chain attack spread from Trivy to Checkmarx, reusing stolen CI/CD credentials to compromise GitHub Actions and evade traditional detection.