"Many of the most serious supply chain issues are caused by flaws built into applications during the CI/CD build process. A build application firewall may be the solution. The SolarWinds supply chain attack of 2020, resulting in around 18,000 affected organizations, should have been a learning point. It demonstrated a key style of supply chain attack - but we didn't learn how to prevent them. The same approach of compromising the development cycle of a widely used tool has been successfully repeated many times since then."
"In March 2026, North Korean actors hijacked an Axios npm library maintainer's account and published two malicious versions. Axios is widely trusted and usage is usually automated. During the brief period before the malicious versions were removed, it is believed they were downloaded by around 3% of the Axios userbase. The endgame was a remote access trojan, ultimately delivered via CI/CD."
"Separately, but also in February/March 2026, TeamPCP compromised Aqua's Trivy vulnerability scanner, BerriAI's LiteLLM, and Checkmarx/kics. The successful purpose was to get into the CI/CD of widely used tools. On March 31, Mercor announced itself to be 'one of thousands of companies impacted by a supply chain attack involving LiteLLM'. In early April, the European Commission lost 300Gb of data to hackers using an API key compromised in the Trivy supply chain attack."
"The problem is bad code being introduced into the CI/CD application build process. This could be invisible to the developer. Most build systems pull in npm or PyPI automatically from the repository. But a compromised package, a typo squatted dependency, or a malicious version will still get included in the build. Scanners are designed to check what goes into CI/CD, and again at the end of the build. They can often detect problematic code, but sometimes they cannot."
Serious supply chain issues often originate from flaws introduced into CI/CD build applications. High-profile incidents show repeated compromise of the development cycle of widely used tools, including hijacked npm maintainer accounts that published malicious package versions and delivered remote access trojans via CI/CD. Other compromises targeted popular security and developer tools to gain access to CI/CD pipelines, leading to impacts across many organizations and data loss. The core problem is bad code entering CI/CD build processes in ways developers may not notice, such as compromised packages, typo-squatted dependencies, or malicious versions automatically pulled from repositories. Scanners may miss issues when intent is not clearly malicious or when detection is limited.
#cicd-security #software-supply-chain-attacks #dependency-management #malicious-packages #build-application-firewall
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]