Chainguard

⚠️ If you haven't already heard, axios, the JavaScript HTTP client with more than 300 million monthly downloads on npm, was compromised yesterday. Malicious versions were published via a compromised maintainer account. ⚠️ Chainguard Containers and Libraries customers are safe. Here’s what to do if you were affected: * Audit your installed versions * Downgrade to secure versions * Treat affected systems as compromised * Rotate your credentials This attack continues the software supply chain security theme of the month: your company’s security is only as strong as your weakest open source dependency. Full details and breakdown on the blog: https://lnkd.in/evdZkn2X

📊 The data is in from our second State of Trusted Open Source report: software risk is accelerating faster than humans can manage! We analyzed over 2,200+ container image projects, 3,931 total vulnerability instances, and 377 unique CVEs across Chainguard customers. Here’s what we found:  * 🐍 Python dominates the AI era and is used by 72.1% of customers * 🐘 PostgreSQL is experiencing significant growth, with a 73% increase quarter over quarter, particularly due to the rise of vector databases and retrieval-augmented generation * AI is also changing the speed at which vulnerabilities surface. We had 300%+ more fixes this quarter, a 145% increase in unique vulnerabilities * 🧱 The stack is becoming more standardized, with the majority of the top images being language runtimes  * Chainguard Base is emerging as the utility belt in developer tooling * 96% of the vulnerabilities found and remediated in Chainguard Containers occurred outside the top 20 most popular projects, highlighting the long-tail risk Read the full report here: https://lnkd.in/eTXg39V9

⚡Introducing Chainguard Actions: CI/CD workflows you can trust!⚡ CI/CD pipelines are some of the most privileged and least protected parts of modern software delivery. With AI accelerating how fast code gets written and shipped, that risk is only growing. We’re here to fix that. With Chainguard Actions you can:  * Detect and fix unsafe patterns like tag hijacking, pull_request_tag abuse, and secret exfiltration via logs * Stay secure as Actions are hardened as new threats emerge * Audit + verify:  SBOMs, provenance, and transparent change history * Stay immune from supply chain attacks like Trivy and tj-actions Now in beta! Give it a spin: https://lnkd.in/eDNRcmes

TeamPCP hit LiteLLM (~97M downloads/month) because a maintainer ran Trivy during the wrong window. You didn't have to touch Trivy. You just had to depend on something that did. That's the scariest part: you don't get owned by the tool you used. You get owned by the tool your dependency's maintainer used on a Tuesday afternoon. Your attack surface isn't your code. It's every tool, every maintainer, every machine in the whole chain. And no, your SBOM wasn't going to save you. Nobody is reading SBOMs right now. They're rotating creds and praying their EDR caught something. Reid Tatoris and I are breaking down exactly how this played out and what you can actually do about it. Join us: https://lnkd.in/eQynb5xV

Spotted in New York. xoxo CG 💋

💡If you’re responding to the Trivy/LiteLLM/telnyx incident right now, you’re probably focused on the immediate work: checking versions, reviewing logs, assessing exposure, + rotating credentials. That's a good start. Still processing what happened or how to protect yourself from this and the next inevitable attack? Dan Lorenc (CEO & Co-Founder, Chainguard) and Reid Tatoris (VP of Product, Chainguard) are hosting a brief, practical session to help you navigate it. They'll cover: * What happened and how * How to check if you were exposed * What actions to take immediately (credentials, pipelines, cleanup) * What to change going forward to reduce this kind of risk 🧭 [Link to register in the comments]

⚠️ Another major supply chain attack: this time targeting telnyx, a Python SDK for carrier grade communications with 790K monthly downloads. ⚠️ Chainguard Libraries customers are not impacted. 📦 Affected versions on PyPI: 4.87.1, 4.87.2 ✅ Last clean version: 4.87.0 (published March 26) The next attack from TeamPCP, the bad actors behind Trivy, Checkmarx, LiteLLM and Canisterworm) is both sophisticated and unsettling: * Malicious code executes immediately on import telnyx, before your app even runs * Payloads are hidden inside a fake audio file (hangup.wav) downloaded from a C2 server * On Windows: persistence via startup folder * On Linux/macOS: credential harvesting (similar to Trivy & LiteLLM attacks) Open source’s interconnectedness is both its greatest strength and flaw. When attackers steal CI/CD credentials, they can publish malicious packages directly to public registries that, in turn, harvest more credentials. Those credentials are then used for the next attack. As a response to this continuing wave of TeamPCP attacks, we are making our Trivy image free for 12 months and Chainguard Libraries and Actions free for three months (see comments for sign-up details). More about this attack on the blog: https://lnkd.in/g4uwuwqD

Percona is excited to partner with Chainguard to bring a new standard of security to open source databases. 🔐 Together, we’re making it easier for organizations to run open source data infrastructure in production without the burden of building and maintaining secure container images themselves. Here’s what this means: ✔ Secure-by-default container images with near-zero CVEs ✔ Full Percona expert support across MySQL, PostgreSQL, MongoDB, Valkey, Redis, and more ✔ A simpler path to compliance across complex environments ✔ Less time patching and rebuilding, more time focused on innovation The result is production-ready open source databases with enterprise-grade backing. We’re proud to be among the first partners in this ecosystem and the only one delivering exclusively open source database support. Learn more: https://bit.ly/4sz6Uxt #OpenSource #Databases #CyberSecurity #DevOps

Impacted by the Trivy supply chain attack? We got you. 🫂   In a nutshell: On March 19, 2026, attackers exploited stolen credentials to publish malicious versions of Trivy GitHub Actions and images, transforming routine scans into credential harvesters. If you ran a Trivy scan via GitHub Action or container between March 19 and 22, assume you have been exposed and take the following actions: • Rotate your GitHub credentials • Update your cloud provider keys • Change your Kubernetes secrets • Regenerate your crypto keys   The blast radius continues to expand. On March 24, the same attackers compromised LiteLLM, a critical Python dependency with 97M+ monthly downloads, using credentials stolen through the project��s use of the compromised Trivy action. The impact is still spreading, and more downstream compromises are likely.   We can help teams respond quickly and mitigate future risks. We are offering three free months of Chainguard Libraries and Chainguard Actions, with no paid commitment required.   With Chainguard’s secure-by-default open source artifacts, you get: ✅ Malware-resistant Python, Java, and JavaScript dependencies ✅ Continuously hardened CI/CD workflows against known exploits ✅ Signed provenance and SBOMs for every artifact We're here to help you get the protection you need: this is available until May 31, 2026! https://lnkd.in/eDNRcmes