Tag

#ci-cd

Analysis

Tags Are Pointers. Pointers Move.

The structural gap between what a pipeline declares and what it executes, and what hash pinning actually fixes.

Daniel Malvaceda · Apr 16, 2026 · 14 min read

Incident Critical npm javascript

Axios maintainer hacked via social engineering; RAT dropper found in versions 1.14.1 & 0.30.4 via malicious dependency.

Ricardo Sanchez · Apr 7, 2026 · 9 min read

Incident Critical GitHub Actions docker-hub

How a two-minute GitHub PR gave TeamPCP 18 days of silent access to Trivy's CI: Pwn Request, non-atomic rotation, and 82 poisoned Actions tags.

Daniel Malvaceda · Mar 27, 2026 · 21 min read