CI build secrets exposed
A Trivy GitHub Actions breach recently exposed CI build secrets—developers should assume tokens used in builds were leaked. (x.com) Oracle pushed a patch for a critical login flaw (CVE-2026-21992), CISA added five vulnerabilities to its KEV catalog, and analysts warn insider incidents—both deliberate theft and mistakes—are rising as AI makes data exfiltration easier. (x.com) (x.com) (x.com)
Attackers force‑updated 75 of 76 version tags in the aquasecurity/trivy-action GitHub Action on March 19, 2026, replacing trusted tag references with malicious commits over an exposure window of roughly 12 hours (March 19 17:43 UTC to March 20 ~05:40 UTC). (snyk.io) The compromised release (trivy v0.69.4) was published to GitHub Releases and propagated to Docker Hub, GHCR and AWS ECR, and the injected payload dumped GitHub Actions runner process memory to harvest SSH keys, cloud credentials, Kubernetes tokens and crypto wallets. (snyk.io) Security researchers link the incident to a prior March 1 compromise that stole a Personal Access Token via a pull_request_target workflow, and researchers attribute the campaign to the TeamPCP group (aka DeadCatx3/PCPcat/ShellForce). (thehackernews.com) Snyk and other responders advised pinning Actions to exact commit SHAs and listed safe releases — trivy v0.69.3, trivy-action v0.35.0 and setup-trivy v0.2.6 — and urged rotation of pipeline secrets for any runs that referenced affected tags. (snyk.io) Oracle issued an out‑of‑band Security Alert on March 19, 2026 to fix CVE‑2026‑21992, a critical unauthenticated remote‑code‑execution flaw in Oracle Identity Manager and Oracle Web Services Manager with a CVSSv3 score of 9.8 affecting versions 12.2.1.4.0 and 14.1.2.1.0. (oracle.com) CISA added five actively exploited CVEs to its Known Exploited Vulnerabilities (KEV) catalog on March 20, 2026 — including three Apple flaws (CVE‑2025‑31277, CVE‑2025‑43510, CVE‑2025‑43520), a Craft CMS code‑injection bug (CVE‑2025‑32432) and a Laravel Livewire code‑injection bug (CVE‑2025‑54068) — and set a federal remediation due date of April 3, 2026. (cisa.gov) Industry research shows AI is amplifying insider risk: Exabeam’s survey found 74% of security professionals say AI makes insider threats more effective and 64% now view insiders as a greater risk than external attackers, while Microsoft Entra reported 97% of organizations experienced an identity or network access incident in the past year with 70% linked to AI‑related activity. (secure.businesswire.com)
