RE: https://fosstodon.org/@homeassistant/116295601825508570

Me: „oh, I wonder if they got the cryptography right. Might take a look.“
Blog: „…audited by @trailofbits...“
Me: „alright, nevermind, it’s going to be good, no need to check.“

RE: https://fosstodon.org/@SocketSecurity/116285042551834755

Socket has been consistently providing helpful writeups of the recent supply chain attacks. Very good signal to noise ratio, and worth following if you are struggling with figuring out the effects of the latest supply chain incidents.

#Trivy got compromised on thursday and released a backdoored new version, which was rolled back. We spent the entire friday in incident response mode. Now they got compromised again over the weekend.

I have a lot of sympathy for people under pressure during an incident, but for fucks sake, having a security tool get compromised three times within two months is just completely bonkers. We spent more time remediating security issues caused by our security tooling than any other cause. And the fact that there wasn't any official communication on friday means that we had to rely on third-party writeups, which were missing critical information like exact docker container digests and time ranges of the compromise. This made incident response completely miserable.

Anyway. Trivy 0.69.4, 0.69.5, 0.69.6 were all compromised with infostealer malware. Do what you have to do. There are several decent writeups:
- https://www.stepsecurity.io/blog/trivy-compromised-a-second-time---malicious-v0-69-4-release
- https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack
- https://labs.boostsecurity.io/articles/20-days-later-trivy-compromise-act-ii/

And Trivy has an advisory on their GitHub that covers last thursday, but not the second compromise over the weekend: https://github.com/aquasecurity/trivy/security/advisories/GHSA-69fq-xp46-6x23

#ThreatIntel #SupplyChain