Sanjeev

Trivy's GitHub Actions had a workflow called "API Diff Check" that used pull_request_target as a trigger. The problem with pull_request_target is that it runs with the permissions of the base repository (Trivy's own repo), not the fork. But this particular workflow was configured to check out the PR's code (the fork's code) and it had access to a PAT with broad permissions, not just the default ephemeral GITHUB_TOKEN. So the exploit was: 1. hackerbot-claw (an autonomous AI agent powered by Claude Opus 4.5, created Feb 20, 2026) opened a pull request from a fork 2. The pull_request_target workflow triggered, checking out the attacker's PR code 3. The attacker's code ran inside the CI runner with access to the repo's PAT (broad write permissions) 4. The payload exfiltrated the PAT to recv[.]hackmoltrepeat[.]com With that PAT, the attacker deleted all 178 Trivy releases, privatized the repo, wiped stars, and published a malicious VS Code extension. Aqua Security rotated secrets during remediation, but the rotation wasn't atomic, so the attacker captured the refreshed tokens during the process. That retained access is what TeamPCP used three weeks later on March 19 for the full supply chain attack. The root cause: a misconfigured GitHub Actions workflow that checked out untrusted fork code while holding a privileged PAT. A well-known anti-pattern, but still extremely common in open source repos. GitHub Security Lab's original writeup on this exact anti-pattern (they coined the term "pwn requests"): https://t.co/MWgl0ecBJQ That's the canonical reference. Published in 2021, warns specifically that combining pull_request_target with an explicit checkout of untrusted PR code can lead to full repository compromise. Exactly what happened to Trivy five years later.

TeamPCP compromised Aqua Security's Trivy vulnerability scanner on March 19, 2026, hijacking trivy-action and setup-trivy GitHub Actions and stealing CI/CD secrets from organizations running them. Between March 21-22, stolen credentials led to compromises of Checkmarx KICS, Aqua Security Docker images, and packages across GitHub Actions, Docker Hub, npm, Open VSX, and PyPI. On March 24 at 10:52 UTC, LiteLLM versions 1.82.7 and 1.82.8 were uploaded to PyPI using stolen publish tokens. LiteLLM used Trivy in its CI/CD pipeline. Neither version had a corresponding GitHub tag or release. 1.82.7 injected malicious code in proxy_server.py, executed on module import. 1.82.8 added a .pth file that Python executes on every interpreter startup without any import. The payload collected SSH keys, cloud credentials (AWS, GCP, Azure), Kubernetes secrets, .env files, crypto wallets, and database passwords, encrypted everything with AES-256 + RSA-4096, and sent it to models.litellm[.]cloud. On Kubernetes hosts, it deployed privileged pods to every node and installed a systemd backdoor polling checkmarx[.]zone. A bug in the .pth launcher caused recursive process spawning that crashed machines. A FutureSearch engineer found it when litellm was pulled as a transitive dependency by a Cursor MCP plugin. The malicious versions were live for approximately 9 hours. Roughly 500K exfiltration attempts reported. Both versions removed from PyPI. 1.82.6 is clean.

Helping few setup their openclaw. I gave them all the instructions but the learning curve is real for anyone not used to command line tools, models etc. easy to get overwhelmed. No wonder there are ppl who are ready to pay 5k per install. Install is just the start, there is a lot of upkeep to make it reliably smart

I frequently explain the xy problem to folks I work with. pretty interesting how frequently I run into this. someone would ask how to solve y. immediately im like 'whats the context'? then they will say I have a problem x and I'm looking to solve that with y and run into a problem with y. y may not even be the best way to solve x. lot of time is saved when someone asking for question gives the context of the "actual" problem along with the problem of the perceived solution.

Automated code review is a game of whack-a-mole. Push a change, get comments. Fix one, two more appear. The tool is designed to give feedback — so it always will, whether it's useful or not. Same with inline suggestions. I see a team using Copilot and their #1 complaint: it keeps suggesting things they doesn't want. More time dismissing than accepting. The core problem is the same: these tools review code with zero context. No intent. No trade-offs. No "what's intentionally out of scope." Verification should shift left to the intent, not the diff. Review the plan. Challenge the plan. Then review the code against the plan. That's a useful review.