Agents
AppSec Santa RSAC Wrap: 71% of Organizations Never Pin GitHub Actions to Commit Hashes — Enabling the Trivy/TeamPCP Attack Chain
AppSec Santa's RSAC weekly (March 24) reported that 71% of organizations never pin their GitHub Actions to commit hashes — the exact vulnerability class that enabled TeamPCP to compromise 10,000+ GitHub workflows via Trivy tag poisoning, where the attacker force-pushed 75 of 76 tags with malicious binaries. The newsletter also cataloged that the March 1 Trivy incident's incomplete credential rotation directly caused the March 19 re-compromise, establishing a pattern where organizations treat package restoration as complete remediation while leaving lateral credentials active.
Source
↳ Follow the thread