What caused the March 2026 Trivy attack?

Compromised creds let TeamPCP force-push malware to 76/77 GitHub Action tags, turning scans into theft.

How do I secure my CI/CD pipeline from supply chain attacks ?

Pin to SHAs/digests, verify signatures/checksums, use least-privilege creds, and add runtime scanning.

Did GitLab get hit in these incidents?

No—their products avoided the bad versions, but they're pushing policy fixes hard now.

76 Poisoned Tags in 12 Days: Pipeline Nightmares from March 2026

Imagine running your trusted vulnerability scanner—only for it to steal your cloud keys. That's what hit four open-source tools in March 2026, all via pipelines.

Open Source Beat Apr 07, 2026 3 min read

Timeline graphic of March 2026 supply chain attacks on Trivy, KICS, LiteLLM, and axios

⚡ Key Takeaways

Pin dependencies and actions to immutable SHAs, not mutable tags. 𝕏
Verify integrity with checksums and signatures before execution. 𝕏
Centralized policy enforcement can detect anomalies early—but test it yourself. 𝕏

Published by

Open Source Beat

Community-driven. Code-first.

#CI/CD pipelines #CI/CD security #GitLab policies #GitLab security #Trivy compromise #Trivy hack #pipeline vulnerabilities #supply chain attacks

Worth sharing?

Get the best Open Source stories of the week in your inbox — no noise, no spam.

Originally reported by GitLab Blog

⚡ Key Takeaways

The 60-Second TL;DR

Open Source Beat

Share this article

Worth sharing?

Related Stories

GitHub Actions 2026 Roadmap: Lockfiles Lock Down Supply Chain Risks

Warden v2.0: Free CLI That Sniffs Out Malicious npm Packages in Seconds

EU Staff Emails and Data Dumped Online After Open-Source Scanner Hack

GitLab's Container Scanning Arsenal: Five Tools to Lock Down Your Images Before Disaster Strikes

Stay in the loop