Github-Actions

It Happened Again On April 22, 2026, the official Bitwarden CLI npm package (@bitwarden/cli) was compromised. For roughly 90 minutes, between 5:57 PM and 7:30 PM ET, anyone who ran npm install @bitwarden/cli received a malicious package. Around 334 developers did exactly that. The attackers did not break into Bitwarden’s npm account directly. Instead, they hijacked a GitHub Actions workflow in Bitwarden’s CI/CD pipeline and weaponised npm’s Trusted Publishing mechanism to push a poisoned release. Trusted Publishing is OIDC-based and requires no stored credentials: it was introduced as a hardening measure after credential-based attacks. It became the entry point. ...

The Unexpected Swag from KubeCon EU 2026 KubeCon EU 2026 Amsterdam was a great edition. I walked away with good conversations, new connections, and the usual conference bag full of stickers. But one thing stood out among the swag: six months of GitHub Copilot Pro+, courtesy of GitHub. I’m not going to pretend I wasn’t excited. Copilot Pro+ isn’t cheap, and having it handed to you as conference loot—just because you showed up in the right place, accepting the right invitation—felt like a proper thank-you to the community. GitHub clearly knows its audience. ...

Introduction Trivy, the widely adopted open-source security scanner from Aqua Security, is a cornerstone of modern CI/CD pipelines and container security. With over 33,000 stars on GitHub as of March 2026, its footprint spans across Docker images, Homebrew, and countless developer machines. This ubiquity, however, made the supply-chain compromise discovered between March 19–21, 2026, particularly devastating. The incident was not a single point of failure but a multi-stage attack involving malicious releases, manipulated GitHub Actions, and a self-propagating worm that leveraged decentralized infrastructure. ...