More than half a million lines of source code for Anthropic's Claude Code package were made public by mistake This article explores attack software supply. . Attackers took advantage of a GitHub Action that was set up wrong in Trivy, which let the development team lose their credentials.

The events show that attackers are going after CI/CD environments for continuous integration and deployment. Wiz, a cloud cybersecurity company owned by Google, says that the supply chain is an important part of the infrastructure that needs to be protected at all levels. Rami McCarthy, a principal security researcher at Wiz, says that the real problem is the cascading follow-on effects. He points out that AI-driven code surges are making it necessary to rethink how we secure applications.

He says that getting rid of vulnerabilities in code is hard because it means updating all open-source parts to the newest version. One breach can cause a lot of problems across all of a company's systems. In the last year, two-thirds of companies have had an attack on their software supply chain.

The Axios leak shows that the security practices that go along with AI development are not keeping up with the speed of the AI development process. Tim Mackey of Black Duck says that businesses need to make protecting their Continuous Integration/Continuous Deployment (CI/CD) processes a top priority by limiting access to important keys and using strong secret management methods. According to past research, the third-most recent version is usually the most secure.

Mackey says that older versions can be safer because they have fewer known vulnerabilities and a balanced patching process. He also says that immediate patching is reasonable, but teams need to do a risk-based analysis of their development processes to make sure they don't leave any potential lingering effects from attacks like the Axios incident, especially when it comes to container images. "Traditional compromised packages only work in a limited runtime environment," says Jesus Ramon, who is on the AI red team.