// #devops
4 articles
Golang crypto/ssh Mass Advisory: Nine CVEs Including CVSS 10.0 Re-Opened SSH Auth Bypass Affect Enterprise DevOps Infrastructure
The Go security team published a coordinated batch of nine CVE fixes for the golang.org/x/crypto SSH library on 22 May, including CVE-2026-46595 (CVSS 10.0), which re-opens a previously patched SSH authentication bypass for services using non-public-key authentication callbacks. Enterprise environments using Go-based SSH tooling, CI/CD pipelines, Kubernetes components, and cloud management tooling are affected.
QLNX Linux RAT Harvests Developer Credentials to Enable Malicious Package Publishing on npm and PyPI
Trend Micro researchers have identified QLNX (Quasar Linux), a Linux-targeting remote access trojan specifically designed to harvest developer credentials — npm tokens, PyPI upload credentials, AWS IAM keys, Docker registry credentials, and GitHub CLI tokens — from developer workstations. The harvested credentials are then used to publish malicious packages to npm and PyPI under the compromised developer's identity, enabling second-stage supply chain attacks against the developer's downstream users.
Five-Year-Old ShowDoc RCE Flaw CVE-2025-0520 (CVSS 9.4) Now Under Active Exploitation — Over 2,000 Instances Exposed
Threat actors are actively exploiting CVE-2025-0520, a critical unauthenticated remote code execution vulnerability in ShowDoc — an IT documentation tool used by developers and operations teams. The flaw, patched in October 2020 but present in thousands of unupgraded installations, allows file upload exploitation to deploy web shells. More than 2,000 publicly accessible ShowDoc instances remain vulnerable.
Trivy Security Scanner Hijacked — 75 GitHub Action Tags Redirected to Credential Stealer
The widely-used Aqua Security Trivy vulnerability scanner was compromised in a supply chain attack that replaced 75 version tags in the official trivy-action and setup-trivy GitHub Actions with credential-stealing malware. Threat actor TeamPCP leveraged non-atomic secret rotation to retain access after an initial February compromise, launching a second attack wave on 19 March. Any CI/CD pipeline that ran trivy-action or setup-trivy during the compromise window may have had cloud credentials, API tokens, and SSH keys exfiltrated.