Two Supply Chain Attacks in Two Weeks - Why Defense-in-Depth Saved Me

Two supply chain attacks hit my CI/CD pipeline in under two weeks. Neither caused damage. Here's why, and what I hardened afterward. The trend no one can ignore In late March 2026, the aquasecurity/trivy-action GitHub Action was compromised via tag poisoning. A mutable version tag was silently redirected to a malicious commit. Less than two weeks later, a threat actor compromised an axios npm maintainer's account and published two backdoored versions ( 1.14.1 and 0.30.4 ) containing a hidden postinstall script that phoned home to a command-and-control server. Microsoft published a detailed technical analysis of the axios attack. Two different attack vectors. Two different ecosystems. Same target: CI/CD pipelines. This isn't a coincidence. Attackers are actively targeting build infrastructure because that's where the secrets live, where the deployments happen, and where a single compromised dependency can cascade into production. If your CI/CD pipeline isn't hardened against this class

Two Supply Chain Attacks in Two Weeks - Why Defense-in-Depth Saved Me

Related Articles

Building DNS query tool from scratch using C

How to build .NET obfuscator - Part I

How to Use Traceroute and MTR to Diagnose Network Issues

apt-key Deprecation: Add Repositories with GPG on Ubuntu

How To Use Variadic Functions in Go

Related Articles

How-To
Building DNS query tool from scratch using C
Reddit Programming • 1d ago

How-To
How to build .NET obfuscator - Part I
Reddit Programming • 2d ago

How-To
How to Use Traceroute and MTR to Diagnose Network Issues
DigitalOcean Tutorials • 1w ago

How-To
apt-key Deprecation: Add Repositories with GPG on Ubuntu
DigitalOcean Tutorials • 1w ago

How-To
How To Use Variadic Functions in Go
DigitalOcean Tutorials • 2w ago