8 posts tagged with "CI/CD"

Between November 21 and 23, 2025, attackers compromised maintainer accounts to publish trojanized versions of popular npm packages. Unlike typical malware that might run quietly in the background, this variant is aggressively designed to harvest credentials and establish persistence within build environments.

What is Shai-Hulud 2.0?​

Scale at a glance: ~700 npm packages linked to the campaign, 25k+ malicious GitHub repos auto-created, and large-scale secret leaks (GitHub tokens, AWS/GCP/Azure creds).

We are excited to announce R2Devops 2.13! This release introduces an improved issue fix journey, and the ability to designate official CI/CD catalog projects for your organization.

We are excited to announce R2Devops 2.12! This release brings comprehensive GitLab CI/CD Catalog integration, AWS Bedrock AI provider support, improved issue readability, and enhanced project selection performance.

We are excited to announce R2Devops 2.11! This release brings pipeline composition compliance with GitLab CI/CD Catalog Components, custom AI model configuration, enhanced issue remediation, and a project analysis page.

We are thrilled to announce R2Devops 2.10! This release brings GitLab Catalog Components support, enhanced merge request compliance controls, and improved dashboard issues management.

What Happened?​

A critical supply chain attack has impacted the GitHub Actions ecosystem, specifically targeting the widely used tj-actions/changed-files workflow.

This action, commonly used in CI/CD pipelines to detect modified files in pull requests, was compromised, allowing attackers to steal secrets and potentially gain control over repositories.

CVE-2025-30066 has been assigned to this incident.

R2Devops lauréat France 2030 – « Soutien aux PME et startups en cybersécurité »​

Nous sommes fiers d’annoncer que R2Devops fait partie des lauréats du programme France 2030 – NCC-FR Cyber, opéré par Bpifrance et l’ANSSI, qui vise à soutenir les PME et startups innovantes dans le domaine de la cybersécurité.

Ce soutien nous permet d’apporter une réponse claire à un enjeu encore sous-estimé : sécuriser un angle mort critique des systèmes d’information : les Pipelines CI/CD.

Avec l’appui de France 2030, nous allons accélérer le développement de nos solutions pour apporter plus de sécurité, de confiance et de conformité aux organisations.

Nous remercions chaleureusement Bpifrance et l’ANSSI pour leur confiance et leur accompagnement, ainsi que l’ensemble de l’écosystème France 2030 qui œuvre à bâtir une cybersécurité robuste et souveraine.

« Ce soutien est une étape qui nous permet de franchir un cap dans notre mission : aider les entreprises à sécuriser leurs environnements et se préparer aux standards de demain (ISO 27001, DORA, NIS 2) » — Aurélien COGET, CEO R2Devops

Top 5 Software Supply Chain Security Incidents​

CI/CD (Continuous Integration and Continuous Deployment) pipelines have revolutionized software development, enabling rapid code integration, testing, and deployment. However, their growing complexity and reliance on automated processes have also introduced significant cybersecurity risks within the scope of the software supply chain. Below, we examine five of the highest-profile cybersecurity incidents involving CI/CD pipelines in the IT industry, highlighting the vulnerabilities and lessons learned.