Areeb Soo Yasir

Scary #Github #supplychain #cybersecurity attack on #Aquasecurity #docker images

This one is a classic issue of accidentally putting credentials, tokens or keys into what is pushed onto Github. It happens much more than people think.

I advocate for completely private build process and the scaling back of public repositories as it is easy to see how to surreptitiously modify code to inject malware into an image.

https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/

Update: Ongoing Investigation and Continued Remediation

Open Source Security Advisory Update: Wednesday, April 1, 2026 Boston, MA 10:00 AM ET Over the past week, we have nearly finalized our investigation and are now in the final stages of documentation and review. There continues to be no indication that Aqua’s commercial products have been affected. As part of this process, we identified …

Aqua
Mar 24 at 7:42pmWeb