Security tools are backdoored, storage gateways are leaking identities, and core crypto libraries are failing Cryptography 101.
🏴☠️ The Trivy Supply Chain Bait-and-Switch
Trivy’s official release pipeline got compromised. Version 0.69.4 is backdoored. If your pipelines pulled this release, malicious GitHub Actions and binaries are currently exfiltrating your secrets to a typosquatted C2.
Purge 0.69.4 from your CI/CD workflows immediately. Block the C2, rip out the malicious artifacts, and rotate every single secret exposed to this build. Consider them burned.
🪣 Brute-Forcing MinIO Buckets
MinIO's STS endpoint leaks LDAP usernames and has zero rate limiting. Anyone can spam the AssumeRoleWithLDAPIdentity action, enumerate valid users, and brute-force their way to temporary AWS-style credentials. From there, your S3 bucket resources are theirs.
Slap a WAF rate limit on that endpoint today and deploy the MinIO patch before someone walks off with your object data.
🧟 Zombie Certificates in AWS-LC
If you compile custom apps with AWS's crypto libraries, your revocation checks are broken. A logic flaw in aws-lc-sys and aws-lc-fips-sys bypasses validation for partitioned CRLs. Hand your app a known-revoked certificate, and it blindly trusts it.
Managed AWS services are unaffected, but custom code using these crates is wide open. Bump the dependencies and rebuild your applications to patch this blind trust out of your codebase.