Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreigdkibuu7bue72cggfxkfjf6553uffskqtmgjqyfe4467hkrlobyi",
    "uri": "at://did:plc:jo3wjj2gx46alocis4wubmwr/app.bsky.feed.post/3mkbpzlb2qny2"
  },
  "path": "/blog/2026/04/24/on-the-software-supply-chain-doom-spiral/",
  "publishedAt": "2026-04-24T22:31:21.000Z",
  "site": "https://tylercipriani.com",
  "tags": [
    "1",
    "preventing\npwn requests",
    "GitHub Security Lab",
    "since\n2021",
    "the\nLiteLLM hijack",
    "CVE",
    "accelerated\nby AI",
    "briefing the US Federal Reserve Chair",
    "27-year-old\nsecurity problems in OpenBSD",
    "aquasecurity/trivy\n#10259",
    "↩︎",
    "@master"
  ],
  "textContent": "Hackers are pwning packages at an exhausting clip.\n\nBut the hacks are hackneyed. What’s new is the doom cycle: Code that steals keys to publish code to steal more keys.\n\nA zombie army of infected code. And AI is making it worse.\n\n## GitHub Actions are a trap\n\nTrivy is an open-source security scanner. But if you used Trivy in late March, you had a bad time.\n\nOn March 19th, hackers pushed a version of Trivy that tried to smuggle secrets from anywhere it ran. Trivy cited a “misconfiguration” in their continuous integration (CI) system, GitHub Actions.\n\nBut the exploit was less a misconfiguration and more a GitHub Actions trap.\n\nAdmiral Ackbar warning about the trap in GitHub Actions\n\nHere’s a simplified version of how Trivy got pwnd1:\n\n\n    # INSECURE. DO NOT USE.\n    on:\n      pull_request_target\n\n    jobs:\n      check:\n        steps:\n          - uses: action/checkout@deadbeefdeadbeefdeadbeefdeadbeefdeadbeef\n            with:\n              ref: refs/pull/${{ github.event.pull_request.number }}/merge\n          - uses: ./.github/actions/setup-go\n          - uses: some/go-static-analysis@c0ffeec0ffeec0ffeec0ffeec0ffeec0ffeec0ff\n\nAt first glance, this code looks fine:\n\n  * No secrets referenced.\n  * Third-party actions pinned to an immutable hash.\n  * Check out a pull request. Perform some static analysis.\n\n\n\nBut this code is a verbatim antipattern from a 2021 GitHub blog post titled “preventing\npwn requests”:\n\n> if the `pull_request_target` workflow only […] runs untrusted code but doesn’t reference any secrets, is it still vulnerable?\n>\n> Yes it is\n>\n> – \nGitHub Security Lab\n\nThe problem is `pull_request_target`:\n\n  * `pull_request_target` – plunks a nice, juicy `GITHUB_TOKEN` into the environment.\n  * `actions/checkout` – takes an optional parameter `persist-credentials`, which removes secrets if set to `false`. But the default for the parameter is `true`.\n\n\n\nSetting the `persist-credentials` parameter to `false` has been an open issue in GitHub Actions since\n2021.\n\n## Your `$HOME` is a crime scene\n\nOnce hackers had Trivy’s keys, they published a new version of Trivy to steal more keys.\n\nLiteLLM used Trivy in their CI. The same CI they used to publish code to PyPI, the Python software registry. When LiteLLM’s CI ran the compromised Trivy, hackers nabbed their publishing key.\n\nAnd on March 24th, when Callum McMahon fired up his IDE, his MacBook froze. And that’s how he discovered the\nLiteLLM hijack.\n\nMcMahon’s MacBook was flailing at bad code that hackers snuck into LiteLLM. And the bad code trying to steal credentials:\n\n  * `~/.netrc`\n  * `~/.aws/credentials`\n  * `~/.config/gcloud`\n  * `~/.config/gh`\n  * `~/.azure`\n  * `~/.docker/config.json`\n  * `~/.npmrc`\n  * `~/.git-credentials`\n  * `~/.kube/`\n\n\n\nFiles that are typically strewn around `$HOME` directories, full of tokens and keys, often unencrypted.\n\n## AI and the supply chain doom spiral\n\nWe’ve dealt with problems like unencrypted credentials, unpinned dependencies, and CI footguns forever.\n\nBut AI has accelerated _everything_ , including repeating security mistakes.\n\nOn the day of the Trivy compromise, I asked Claude, “how do I scan docker registry images for security vulnerabilities?”\n\nThe reply, in part:\n\n\n    CI/CD Integration Example (GitHub Actions with Trivy)\n\n        - name: Scan image for vulnerabilities\n          uses: aquasecurity/trivy-action@master\n\nBroken in two ways:\n\n  1. Unpinned references – `master` is a reference that changes all the time. If hackers zombify the repo, I’d be the first victim.\n  2. Active vulnerability – No mention whatsoever of the CVE posted that day. I never asked, so Claude never checked.\n\n\n\nMeanwhile, Vercel’s CEO has attributed his company’s recent data breach to a hacker that was “accelerated\nby AI.” And Anthropic’s latest hype tour includes \nbriefing the US Federal Reserve Chair about vulnerabilities unearthed by their frontier model.\n\nBad guys with LLMs get superpowers. Good guys with LLMs fall prey to mid-2010’s CI problems.\n\nAnd the same tool that can root out 27-year-old\nsecurity problems in OpenBSD, will still tell you to pin your GitHub actions to `@master`.\n\n* * *\n\n  1. My GitHub Actions example is a simpler verison of the action removed in aquasecurity/trivy\n#10259.↩︎\n\n\n",
  "title": "On the software supply-chain doom spiral"
}