If you use Trivy or KICS in CI, read this
A malicious actor known as "TeamPCP" compromised popular security tools like Trivy and KICS by force-pushing mutable tags on their GitHub Actions repositories between March 19 and March 24, 2026. This allowed the attackers to inject malicious code into CI pipelines that were not pinned to specific commit SHAs, leading to the exfiltration of sensitive data such as secrets, SSH keys, and cloud credentials. To mitigate this risk, users are advised to pin their GitHub Actions to immutable commit SHAs, audit their workflow permissions, and consider using security tools like `github-actions-audit` or `zizmor` for ongoing monitoring. AI
IMPACT Highlights critical supply chain vulnerabilities in CI/CD pipelines, impacting the secure deployment of AI applications.