Everything Is an Attack Surface
What you missed today
Good evening.
Supply chain attacks hit two major tools this week. If Trivy is in your CI/CD pipeline, read story #1 before anything else.
Here are the 5 things you missed today:
1. π Your Security Scanner Was the Attack Vector
Trivy, the open source vulnerability scanner in millions of CI/CD pipelines, was hit twice in March. Attackers pushed malicious releases, force-pushed 76 version tags to credential-stealing malware, and defaced 44 internal Aqua Security repositories in a scripted 2-minute burst. Payload silently harvested AWS, GCP, Azure, SSH, Kubernetes, and Git credentials before legitimate scans completed.
If you ran trivy-action between March 19β20, rotate everything. Pin Actions to immutable SHA hashes, not version tags.
2. π High-Tech Just Overtook Finance as the Most-Attacked Sector
High tech accounted for 17% of all Mandiant IR investigations in 2025, pushing financial services to second at 14.6%. High-tech organizations sit at the center of supply chains with API access to dozens of downstream customers. Compromising one is often a path to many.
3. πΈοΈ One Person. 373,000 Dark Web Sites. All Fake.
Operation Alice dismantled a dark web network run by a single operator in China across 373,000 fraudulent sites, 105 seized servers, and β¬345,000 in cryptocurrency earnings from roughly 10,000 customers. An international arrest warrant has been issued.
4. π€ Eight Validated Attack Paths Inside AWS Bedrock
XM Cyber mapped eight attack vectors in Bedrock environments: log manipulation, knowledge base compromise, agent hijacking, flow injection, guardrail degradation, and prompt poisoning. When a Bedrock agent connects to Salesforce, Lambda, or SharePoint, it becomes a node with reachable paths to critical assets. Worth a full read before your next deployment.
5. π Google's Gemini Is Now Crawling the Dark Web For You
Google's new dark web intelligence service processes 10 million posts per day and claims 98% accuracy, against 80β90% false positive rates from traditional keyword-matching tools. Gemini builds an org profile in minutes and starts surfacing relevant threats. The caveat: it needs access to your organizational profile to work, which is a new attack surface to manage.
Bonus. CISO Tip of the Day
The Trivy incident came down to mutable version tags trusted by millions of workflows. Pinning Actions to commit SHAs would have blocked the entire attack. The cheapest controls are usually the ones your team keeps deferring.
All stories are independent editorial coverage.
- Alex