Build & CI/CD Security Alerts

Build & CI/CD Security Alerts is where DevOps, DevSecOps, AppSec teams, and security leaders can track the vulnerabilities, attacks, and disclosures that matter most to build systems and CI/CD pipelines. Instead of rehashing general cybersecurity news, we focus on what each alert means inside for the build environment: how it could affect
dependency retrieval, secrets exposure, unauthorized outbound connections, artifact integrity, and software supply chain risk at the last mile.

This page is designed for teams that want timely, practical analysis of build-time threats and clearer guidance on how to strengthen their defenses and reduce risk.

Axios npm Supply Chain Attack: Hijacked Maintainer Account Delivers RAT

Date Observed: March–April 2026 Ecosystem: npm, Node.js, CI/CD pipelines Targets: Axios npm package consumers: 100M+ weekly downloads across JavaScript and Node.js build environments Attack Type: Maintainer account compromise, malicious package publish, cross-platform RAT delivery Key Takeaways A North Korea-linked threat actor hijacked an Axios npm maintainer account and published malicious versions containing a cross-platform Remote Access Trojan Any CI/CD pipeline

7 days ago5 min read

TeamPCP: How a Supply Chain Attack Hit Build Systems and CI/CD Pipelines

Date Observed : March 2026 Ecosystem : GitHub Actions, npm, PyPI Targets : Aqua Security Trivy, Checkmarx KICS, BerriAI LiteLLM Attack Type : Supply chain compromise, mutable tag hijacking, CI/CD credential theft, self-propagating worm, PyPI wheel backdoor Key Takeaways : TeamPCP targeted CI/CD pipelines, not just source code . The campaign abused trusted paths like GitHub Actions, npm, and PyPI. Once inside the pipeline, attackers could access secrets and credentials . Down

Apr 75 min read

GlassWorm: Invisible-Code Supply Chain Worm Attack

Date Observed : October 2025 – ongoing (March 2026) Ecosystem : VS Code/OpenVSX extensions, npm packages, GitHub repositories Attack Type : Stealthy supply-chain compromise → hidden payload execution → credential theft → lateral spread Key Takeaways: Invisible payloads : Malicious code is hidden in Unicode characters, making it invisible in editors and diffs. Decentralized C2 : Uses Solana blockchain with Google Calendar fallback for resilient command delivery. Wide propagati

Mar 304 min read

SANDWORM_MODE: How a Shai-Hulud-Style npm Worm Targets CI/CD Pipelines

Date of Discovery : February 20, 2026 Ecosystem : npm Type of Attack : Credential theft + AI tool compromise + worm propagation Scope : At least 19 typo-squatted npm packages Impact : Credential theft, GitHub Actions abuse, MCP injection, multi-channel exfiltration, and destructive fallback capability A coordinated supply chain attack targeted the npm ecosystem under the codename SANDWORM_MODE, disclosed by Socket Research Team on February 20, 2026. The campaign combines cred

Mar 174 min read

Hackerbot-Claw: AI-Driven Pull Request Exploits in GitHub Actions CI/CD

Date Observed : Late February 2026 Ecosystem : GitHub Actions CI/CD Attack Type : Pull-request triggered workflow exploitation → Remote Code Execution (RCE) → Token theft Key Takeaways: Hackerbot-Claw exploited misconfigured GitHub Actions workflows using malicious pull-request (PR) input. The attack executed inside the CI/CD build environment, not in merged code. Once tokens were exposed, attackers could modify repositories and publish artifacts. A recent campaign attributed

Mar 174 min read

Shai-Hulud Worm Reloaded: A New Wave of NPM Supply Chain Attacks and How InvisiRisk Stops It

Between November 21-23, the Shai-Hulud worm returned in a more aggressive form, rapidly spreading through the NPM ecosystem and Maven, compromising tens of thousands of repositories. InvisiRisk Build Application Firewall (BAF) includes a robust set of default security policies that enforce expected build behavior. The "Unauthorized PUT" policy serves as a critical defense against attacks like Shai-Hulud.

Dec 2, 20254 min read

The 's1ngularity' Attack: Weaponizing AI CLI Tools and How InvisiRisk Stops It

The nx 's1ngularity' attack is a powerful reminder that supply chain security requires more than just scanning dependencies. InvisiRisk provides the proactive, real-time defense needed to secure the modern software development lifecycle.

Oct 21, 20256 min read

Shai-Hulud NPM Worm Attack: Overview and InvisiRisk Protection

InvisiRisk’s BAF enforces defensive rules in the build pipeline (trusted registries/SCM, blocked packages, secret-leak prevention, response checks, git protections), and the Build Security AI Agent feature provides behavioral detection for novel, suspected worm-style activities. The defensive rules and the agent work together to stop supply-chain worms and credential-theft campaigns from spreading through your builds.

Sep 25, 20255 min read

The Great NPM Heist – What Happened and How InvisiRisk Protects You

Integrating InvisiRisk Build Application Firewall into your development workflow is a practical way to ensure that even if attackers try to slip malware into NPM or Git, your build process will catch it and shut it down before any damage is done.

Sep 19, 20256 min read

Git's Silent Takeover: How a Simple Clone Command Can Compromise Your Entire System

This post breaks down how this attack works, it’s devastating potential, and demonstrates how InvisiRisk's Build Application Firewall (BAF) provides a crucial, proactive defense by preventing the use of vulnerable GIT versions before they can be exploited.

Sep 9, 20254 min read

GitHub's 'Pwn Request' misconfiguration: How InvisiRisk BAF Shields Your CI/CD from Hidden Threats

The dynamic nature of CI/CD pipelines necessitates a solution that can identify and block threats as they happen. InvisiRisk BAF acts as a vigilant guardian for your build process, ensuring that even if a vulnerability is present, it cannot be successfully exploited. By shifting from a reactive to a proactive security model, you can confidently leverage the power of automation without compromising the integrity of your software supply chain.

Jul 14, 20255 min read

CVE-2025-29927: Middleware Authorization Bypass in Next.js and How InvisiRisk BAF Prevents it

InvisiRisk BAF’s layered, real-time security stops attacks like the Ultralytics/Action Compromise

Apr 1, 20253 min read

Stay in the loop

Be the first to know about our latest product updates and company news.

No spam. Just the good stuff! We also respect your privacy and keep your info safe.