General
Socket reports a supply chain attack where attackers force-updated 75 of 76 version tags for aquasecurity/trivy-action to point to malicious commits containing an infostealer payload. The campaign exposed CI/CD secrets across pipelines and included a typosquat domain for exfiltration, with a resilient fallback via the victim’s GitHub token. The post details the attack lifecycle, IOCs, remediation guidance, and attribution to TeamPCP Cloud Stealer.
The Rust Security Response Team discloses a vulnerability in the tar crate used by Cargo (CVE-2026-33056) that could allow a malicious crate to change filesystem permissions during…
Daniel Stenberg explains why NTLM and SMB are being moved to opt-in in curl, highlighting security flaws, backward-compatibility issues with HTTP/2/3, and the plan to disable by de…
Open-source multi-agent LLM framework for financial trading. Decomposes tasks into Analyst, Researcher, Trader, and Risk Management agents; supports multiple LLM providers; include…
The Wiz report details a multi-component supply chain attack against Aqua Security's Trivy, including compromised releases, GitHub Actions, and a C2 infrastructure. It outlines att…