Bitwarden CLI npm Compromise: Bun-Staged Credential Stealer
Date Observed: April 23, 2026 Ecosystem: npm (Node.js) Targets: Developer workstations, GitHub Actions CI/CD pipelines, cloud environments, AI coding tool configurations Attack Type: Supply chain compromise: account hijack, OIDC Trusted Publishing abuse, malicious preinstall hook Impact: SSH keys, GitHub/npm tokens, AWS/GCP/Azure credentials, AI tool configs, and Actions secrets exfiltrated; GitHub tokens weaponized to inject malicious […]
xinference PyPI Compromise: TeamPCP-Style Credential Stealer
Date Observed: April 22, 2026 Ecosystem: PyPI (Python) Targets: AI/MLOps teams, CI/CD pipelines, cloud-connected LLM inference environments Attack Type: Supply chain compromise Impact: SSH keys, AWS/GCP/Azure/Kubernetes credentials, .env secrets, and CI/CD tokens exfiltrated to attacker-controlled infrastructure Key Takeaways On April 22, 2026, three consecutive releases of xinference versions 2.6.0, 2.6.1, and 2.6.2 were confirmed to […]
InvisiRisk Expands Build Application Firewall with Encoded Secret Detection and Hardened CI/CD Integration
Latest release (v1.1.38) delivers real-time encoded secret interception, deep dependency intelligence, and expanded GitHub Actions support Houston, TX, April 21, 2026 – InvisiRisk, which released the industry’s first Build Application Firewall (BAF) in 2025, today announced a major platform update that strengthens real-time protection of CI/CD pipelines against encoded credential exfiltration, supply-chain compromise, and dependency […]
Axios npm Supply Chain Attack: Hijacked Maintainer Account Delivers RAT
Axios npm Compromise: North Korea-Linked Threat Actor Poisons Popular HTTP Client Date Observed: March–April 2026 Ecosystem: npm, Node.js, CI/CD pipelines Targets: Axios npm package consumers: 100M+ weekly downloads across JavaScript and Node.js build environments Attack Type: Maintainer account compromise, malicious package publish, cross-platform RAT delivery Key Takeaways Axios is one of the most widely used […]
TeamPCP: How a Supply Chain Attack Hit Build Systems and CI/CD Pipelines
TeamPCP Supply Chain Campaign: CI/CD Pipeline Attacks Targeting Trivy, KICS, and LiteLLM Date Observed: March 2026 Ecosystem: GitHub Actions, npm, PyPI Targets: Aqua Security Trivy, Checkmarx KICS, BerriAI LiteLLM Attack Type: Supply chain compromise, mutable tag hijacking, CI/CD credential theft, self-propagating worm, PyPI wheel backdoor Key Takeaways: TeamPCP is a threat actor behind a coordinated […]
GlassWorm: Invisible-Code Supply Chain Worm Attack
GlassWorm: The Invisible Unicode Supply Chain Worm Targeting CI/CD Pipelines Date Observed: October 2025 – ongoing (March 2026) Ecosystem: VS Code/OpenVSX extensions, npm packages, GitHub repositories Attack Type: Stealthy supply-chain compromise → hidden payload execution → credential theft → lateral spread Key Takeaways: GlassWorm is a highly stealthy supply-chain malware campaign that emerged in October […]
SANDWORM_MODE: How a Shai-Hulud-Style npm Worm Targets CI/CD Pipelines
SANDWORM_MODE: A New Wave of npm Supply Chain Attacks Targeting CI/CD Pipelines Date of Discovery: February 20, 2026 Ecosystem: npm Type of Attack: Credential theft + AI tool compromise + worm propagation Scope: At least 19 typo-squatted npm packages Impact: Credential theft, GitHub Actions abuse, MCP injection, multi-channel exfiltration, and destructive fallback capability A coordinated […]
Hackerbot-Claw: AI-Driven Pull Request Exploits in GitHub Actions CI/CD
Hackerbot-Claw: AI-Driven Pull Request Exploits in GitHub Actions CI/CD Date Observed: Late February 2026 Ecosystem: GitHub Actions CI/CD Attack Type: Pull-request triggered workflow exploitation → Remote Code Execution (RCE) → Token theft Key Takeaways: A recent campaign attributed to the GitHub account “Hackerbot-Claw” targeted open-source repositories by exploiting misconfigured GitHub Actions workflows. Public reporting indicates […]
Why Traditional DevOps Security Tools Miss CI/CD Pipeline Attacks
Why Traditional DevOps Security Tools Miss CI/CD Pipeline Attacks by Tom Hamilton, CTO and Co-Founder, InvisiRisk, Inc. Key Takeaways: The uncomfortable truth is that a CI/CD pipeline can look secure on paper and still leak secrets or produce compromised builds in practice. Scanners are excellent at finding known issues in source code, open-source dependencies, and […]
Why the AWS CodeBreach Vulnerability Is a Reminder We Can’t Ignore
AWS CodeBreach Vulnerability: The High Cost of Unknown Risks in Your Build Pipeline The AWS CodeBreach vulnerability, reported last week by Wiz Research, exposed a flaw in AWS CodeBuild that allowed unauthenticated attackers to infiltrate the build environment, leak privileged credentials, and potentially put every AWS account at risk. This serves as a stark reminder […]