7 posts tagged with "Security"

Between November 21 and 23, 2025, attackers compromised maintainer accounts to publish trojanized versions of popular npm packages. Unlike typical malware that might run quietly in the background, this variant is aggressively designed to harvest credentials and establish persistence within build environments.

What is Shai-Hulud 2.0?​

Scale at a glance: ~700 npm packages linked to the campaign, 25k+ malicious GitHub repos auto-created, and large-scale secret leaks (GitHub tokens, AWS/GCP/Azure creds).

We are excited to announce R2Devops 2.11! This release brings pipeline composition compliance with GitLab CI/CD Catalog Components, custom AI model configuration, enhanced issue remediation, and a project analysis page.

We are thrilled to announce R2Devops 2.10! This release brings GitLab Catalog Components support, enhanced merge request compliance controls, and improved dashboard issues management.

What Happened?​

A critical supply chain attack has impacted the GitHub Actions ecosystem, specifically targeting the widely used tj-actions/changed-files workflow.

This action, commonly used in CI/CD pipelines to detect modified files in pull requests, was compromised, allowing attackers to steal secrets and potentially gain control over repositories.

CVE-2025-30066 has been assigned to this incident.

We are excited to introduce R2Devops 2.9! This release brings ISO 27001 compliance controls, AI-powered pipeline compliance, verification of project member role quotas, and an improved experience in issue page.

Top 5 Software Supply Chain Security Incidents​

CI/CD (Continuous Integration and Continuous Deployment) pipelines have revolutionized software development, enabling rapid code integration, testing, and deployment. However, their growing complexity and reliance on automated processes have also introduced significant cybersecurity risks within the scope of the software supply chain. Below, we examine five of the highest-profile cybersecurity incidents involving CI/CD pipelines in the IT industry, highlighting the vulnerabilities and lessons learned.