They have written about it on github to my question: Trivvy hacked (

Imustaskforhelp • yesterday at 5:37 PM • 2 replies • view on HN

They have written about it on github to my question:

Trivvy hacked (https://www.aquasec.com/blog/trivy-supply-chain-attack-what-...) -> all circleci credentials leaked -> included pypi publish token + github pat -> | WE DISCOVER ISSUE | -> pypi token deleted, github pat deleted + account removed from org access, trivvy pinned to last known safe version (v0.69.3)

What we're doing now:

    Block all releases, until we have completed our scans
    Working with Google's mandiant.security team to understand scope of impact
    Reviewing / rotating any leaked credentials

https://github.com/BerriAI/litellm/issues/24518#issuecomment...

Replies

celticninja • yesterday at 6:05 PM

69.3 isnt safe. The safe thing to do is remove all trivy access. or failing that version. 0.35 is the last and AFAIK only safe version.

https://socket.dev/blog/trivy-under-attack-again-github-acti...

➕ show 1 reply

franktankbank • yesterday at 6:02 PM

Does that explain how circleci was publishing commits and closing issues?

alt Hacker News

Replies