Vigilant breaks down the Trivy-to-LiteLLM supply chain attack chain step by step. How attackers compromised a vulnerability scanner, stole a PyPI publish token, and backdoored 97 million monthly downloads worth of AI infrastructure. Plus: the 50K-repo scan that found it first.
Read analysis →
This entire 50K-repo research series is a single snapshot — already aging. CI/CD pipelines change daily. Point-in-time scans miss the drift. Here's why continuous monitoring is the only defense that matches the speed of modern supply chain attacks.
Read analysis →We scanned 50K repos and found 192,776 CI/CD vulnerabilities. Now we're submitting pull requests to fix them — automated remediation at ecosystem scale. Here's the plan, the limits, and what happens to the repos nobody maintains anymore.
Read analysis →
143,616 of 192,776 CI/CD findings in GitHub's top 50K repos trace to one problem: mutable action tags. One compromised maintainer account. Thousands of repos.
Read analysis →246,496 CI/CD findings across GitHub's top 50K repos are auto-fixable. SHA pinning, permission scoping, input validation — most take under 5 minutes. Step-by-step fixes for every vulnerability class.
Read analysis →
Rust, the language built to eliminate memory bugs — has a 77.9% CI/CD vulnerability rate, the highest in GitHub's top 50K repos. The paradox: complex toolchains drive complex pipelines, and complex pipelines create attack surface.
Read analysis →The tj-actions attack was human-paced — detected in days. AI agents automate every step of the same chain attack and compress the window to hours. We scanned 50K repos and found the attack surface already staged.
Read analysis →
Docker's 6 official GitHub Actions run unpinned in 2,740+ of GitHub's top repos. One compromised org would poison container builds and registry credentials across the open-source ecosystem.
Read analysis →
611 repos in GitHub's top 50K have every ingredient for a full CI/CD compromise — unpinned action, write permissions, dangerous trigger. Here's the 5-step chain attack, mapped to real scan data.
Read analysis →
Iranian state-linked hackers executed a destructive cyberattack against Stryker, wiping 200,000 devices and stealing 50TB of data
Read analysis →