Ci Cd Security
The latest Ci Cd Security coverage — news, analysis, and updates from the WindowsNews.AI desk.
AI-Driven AWS Breach Unfolds in 72 Hours: What It Means for Your Windows Environment
A new report from cybersecurity firm Sygnia reveals a startling acceleration in cloud breaches: an attacker wielding artificial intelligence tools compromised a large AWS environment and spread...
Cordyceps CI/CD Attacks Exploit Workflow Trust to Threaten Hundreds of Open Source Repos
A widespread CI/CD supply‑chain attack pattern, dubbed Cordyceps, left hundreds of open source projects dangerously exposed in June 2026. Novee Security’s automated scan of roughly 30,000 popular...
Microsoft Exposes ‘Mastra’ Supply Chain Attack: Over 140 npm Packages Poisoned in Account Hijack
On June 17, 2026, Microsoft Threat Intelligence exposed a sprawling supply chain attack on the npm ecosystem after a malicious actor commandeered the account of a prolific maintainer and published...
GitHub Disables 73 Microsoft Repos After Malicious Commit via 'Miasma' AI Workspace
GitHub has taken the unprecedented step of disabling 73 repositories belonging to Microsoft after a malicious commit was detected in the Azure/durabletask repository on June 5, 2026. The commit was...
Claude Code Prompt Injection Exposes CI/CD Secrets—Patch Your Workflows Now
Anthropic’s Claude Code GitHub Action can leak CI/CD secrets to attackers when the AI agent processes untrusted GitHub issues, pull requests, or comments, Microsoft Threat Intelligence warned on...
jq -f NUL byte truncation bug can poison CI/CD pipelines with incomplete filters
Microsoft has added CVE-2026-41256 to its Security Update Guide, bringing attention to a subtle but significant vulnerability in the popular JSON processing tool jq. The issue, published in May 2026...
Miasma npm Supply-Chain Attack: Red Hat Packages Hijacked to Steal CI/CD Credentials
Security researchers uncovered a brazen supply-chain attack on June 1, 2026, targeting the npm registry’s @redhat-cloud-services namespace. Malicious versions of several packages, used by thousands...
Microsoft Exposes 14 Typosquatted npm Packages Published in 4 Hours to Steal CI/CD Secrets
A newly created npm maintainer account named vpmdhaj uploaded 14 typosquatted packages in a span of just four hours on May 28, 2026, Microsoft revealed in a security advisory. The rapid-fire campaign...
Malicious Microsoft durabletask PyPI Versions (1.4.1–1.4.3) Deploy Linux Wiper, Steal Cloud Credentials
A supply chain attack against Microsoft’s durabletask Python package has injected a covert payload into three PyPI releases, security researchers disclosed on May 20, 2026. The malicious...
Black Duck Polaris May 2026 ships CI evidence, faster Bridge CLI scans
Black Duck shipped its May 2026 update for the Polaris application security platform, packing the release with new CI evidence capabilities, AI-driven scanning improvements, expanded license...
Poetry 2.3.3 Patches a Path Traversal Bug That Let Malicious Wheels Escape Install Dirs
Python developers who rely on Poetry for dependency management need to update immediately to version 2.3.3, which patches a path traversal vulnerability in how the tool installs wheel packages. The...
Axios npm Supply Chain Attack: How Install-Time Malware Compromised Millions of JavaScript Projects
On March 31, 2026, a malicious update to the Axios npm package transformed one of JavaScript's most trusted HTTP clients into a weaponized supply chain threat. The attack didn't require developers to...