RC RANDOM CHAOS

supply chain security

42 posts

Cisco's Source Code Breach Was Structural, Not Accidental
Article

Cisco's Source Code Breach Was Structural, Not Accidental

Cisco's source code breach wasn't a fluke. It was the predictable result of credential drift, third-party trust gaps, and dev infrastructure treated as low-risk.

How Trust in Open-Source Updates Becomes a Systemic Failure Mode
Article

How Trust in Open-Source Updates Becomes a Systemic Failure Mode

A structural analysis of how trust in open-source updates becomes exploitable when systems assume past safety implies future safety, using the Trivy compromise as a case study.

ShinyHunters, Trivy, and the Pipeline Identity Problem
Article

ShinyHunters, Trivy, and the Pipeline Identity Problem

ShinyHunters cloned 300 Cisco repositories through Trivy running in a CI/CD pipeline. This is what failed structurally, why it failed, and what pipeline identity enforcement must look like.

The Advisory Told You to Update. It Didn't Tell You What's Already Running.
Article

The Advisory Told You to Update. It Didn't Tell You What's Already Running.

Patching the advisory isn't enough. If your CI pipeline ran during the compromise window, the compromised code is baked into your container images and still running. Here's how to find it.

Trivy Supply Chain Attack Exposes Cisco Source Code
Article

Trivy Supply Chain Attack Exposes Cisco Source Code

ShinyHunters stole Cisco source code via Trivy supply chain attack due to exposed AWS keys in CI/CD pipelines. Here's how it happened and what you must fix now.

Trivy Supply Chain Attack Exposes Cisco's Source Code
Article

Trivy Supply Chain Attack Exposes Cisco's Source Code

ShinyHunters stole Cisco's source code via Trivy supply chain attack. A compromised Docker image led to AWS key exposure and 300 repos cloned. The real failure was trusting tools without verifying integrity.