CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
https://thehackernews.com/2026/03/weekly-recap-cicd-backdoor-fbi-buys.html
Publish Date: 2026-03-23 09:14:00
Source Domain: thehackernews.com
Another week, another reminder that the internet is still a mess. Systems people thought were secure are being broken in simple ways, showing many still ignore basic advisories.
This edition covers a mix of issues: supply chain attacks hitting CI/CD setups, long-abused IoT devices being shut down, and exploits moving quickly from disclosure to real attacks. There are also new malware tricks showing attackers are becoming more patient and creative.
It’s a mix of old problems that never go away and new methods that are harder to detect. There are quiet state-backed activities, exposed data from open directories, growing mobile threats, and a steady stream of zero-days and rushed patches.
Grab a coffee, and at least skim the CVE list. Some of these are the kind you don’t want to discover after the damage is done.
⚡ Threat of the Week
Trivy Vulnerability Scanner Breached in for Supply Chain Attack — Attackers have backdoored the widely used open-source Trivy vulnerability scanner, injecting credential-stealing malware into official releases and GitHub Actions used by thousands of CI/CD workflows. The breach has triggered a cascade of additional supply-chain compromises stemming from impacted projects and organizations not rotating their secrets, resulting in the distribution of a self-propagating worm referred to as CanisterWorm. Trivy, developed by Aqua Security, is one of the most widely used open-source vulnerability scanners, with over 32,000 GitHub stars and more than 100 million Docker Hub downloads. The Trivy compromise is the latest in a growing pattern of attacks targeting GitHub Actions and developers in general. GitHub changed the default behavior of pull_request_target workflows in December 2025 to reduce the risk of exploitation.
🔔 Top News
- DoJ Takes Down DDoS Botnets — A cluster of IoT botnets behind some of the largest DDoS attacks ever recorded — AISURU, Kimwolf,…
