ci cd security

Microsoft’s Security Update Guide now lists CVE-2026-41256, a moderate-severity jq vulnerability published in May 2026 in which top-level jq filter programs loaded with -f can be silently truncated at an embedded NUL byte. The bug is not a Windows kernel emergency or a remote wormable flaw, but...

On June 1, 2026, researchers reported that malicious versions of multiple npm packages under Red Hat’s @redhat-cloud-services namespace had been published with install-time code designed to steal developer, cloud, and CI/CD credentials. The campaign, now being tracked as Miasma, is not...

Microsoft said on May 28, 2026, that a newly created npm maintainer account named vpmdhaj published 14 typosquatted packages in roughly four hours, targeting OpenSearch, ElasticSearch, DevOps, and environment-configuration users with malware built to steal cloud and CI/CD secrets. The campaign...

Security researchers said on May 20, 2026, that three malicious releases of Microsoft’s durabletask package on PyPI — versions 1.4.1, 1.4.2, and 1.4.3 — carried a Linux-focused Mini Shai-Hulud payload capable of stealing cloud credentials and, under certain conditions, wiping disks. The...

Black Duck’s May 2026 Polaris update expands the platform’s CI, source-control, AI-scanning, license-governance, reporting, and static-analysis capabilities, with Bridge CLI 4.1.2 and 4.2.1 bringing Signal results, automated SCA fix pull requests, and language detection into developer workflows...

CVE-2026-34591 is a reminder that the most dangerous software supply chain bugs are not always found in operating systems, browsers, or cloud control planes. This newly disclosed Poetry wheel path traversal vulnerability affects a widely used Python dependency and packaging tool, allowing a...

On March 31, 2026, a malicious npm package update turned Axios, one of the JavaScript ecosystem’s most ubiquitous HTTP clients, into the latest reminder that software trust can be weaponized at scale. The compromise was brief, but the blast radius was broad: malicious versions were published...

On March 31, 2026, one of the JavaScript ecosystem’s most ubiquitous utilities became the center of a supply chain crisis: malicious versions of axios were published to npm and used to deliver a cross-platform remote access trojan to developers and CI environments. The incident matters far...

An autonomous, Claude‑powered agent named hackerbot‑claw ran a methodical, multi‑vector campaign in late February 2026 that scanned public repositories for misconfigured GitHub Actions workflows, achieved remote code execution in high‑profile projects, and exfiltrated credentials with write...

Microsoft’s security teams have issued an urgent, unambiguous warning: treat the recent Shai‑Hulud 2.0 supply‑chain worm as an active, high‑risk incident and rotate any exposed credentials immediately — including GitHub personal access tokens (PATs), npm tokens, and cloud API keys — because the...

Microsoft and U.S. cyber authorities have issued an emergency-style alarm after a fast-moving, self-replicating supply‑chain worm — now widely discussed as Shai‑Hulud 2.0 — began executing during npm package installation, harvesting developer and cloud credentials and propagating automatically...

A newly cataloged weakness in GNU Binutils — tracked as CVE-2025-1152 — exposes a memory‑management bug in the linker’s xstrdup implementation that can leak allocated memory when processing crafted input, and while vendors rate its raw CVSS severity as low, the real operational risk centers on...

A creeping, low‑severity flaw in GNU Binutils — tracked as CVE‑2025‑1151 — has drawn attention because it exposes a persistent memory leak in the linker’s xmemdup implementation and because a public proof‑of‑concept is available; while the technical impact is limited, the operational risk to...

A fast-moving, self‑replicating supply‑chain worm has infiltrated the npm ecosystem, harvesting developer credentials and using stolen tokens to republish trojanized packages that in turn spread the infection — a campaign now tracked as “Shai‑Hulud” that security teams and national agencies warn...

A publicly exposed appsettings.json containing Azure Active Directory (Entra ID) application credentials has opened a direct, programmatic path into affected tenants — a single misconfigured JSON file acting as a master key for cloud estates and enabling attackers to exchange leaked...

A publicly exposed appsettings.json file that contained Azure Active Directory application credentials has created a direct, programmatic attack path into affected tenants — a misconfiguration that can let attackers exchange leaked ClientId/ClientSecret pairs for OAuth 2.0 access tokens and then...

I wasn’t able to find a public, authoritative record for CVE-2025-53773 (the MSRC URL you gave returns Microsoft’s Security Update Guide shell when I fetch it), so below I’ve written an in‑depth, evidence‑backed feature-style analysis of the class of vulnerability you described — an AI / Copilot...

GitHub Actions users and Windows developers alike should brace for some far-reaching changes beginning this September. With the global popularity of GitHub Actions—GitHub’s industry-leading CI/CD platform—increasingly becoming central to enterprise development and open-source collaboration, even...