Weekly Security Roundup: Supply Chain, CI Guardrails, and Governance

by TechHub

This week’s security items reflected two pressures: intrusions that abuse everyday automation (dependency installs, hosted web stacks, messaging attachments) and platform changes intended to make those workflows harder to exploit (CI hardening, secret detection, governable data/AI). Building on last week’s theme (attackers using default paths like dependency installs and workflow triggers, defenders adding enforceable guardrails), this week focused on high-leverage control points: npm installs, Actions runs, kubectl applies, and REST API inventory jobs.

Supply chain pressure: npm dependency installs and GitHub workflow hardening

After last week’s Trivy compromise (mutable tags, runner discovery, secret harvesting), the axios npm incident reinforced the same lesson: a supply chain compromise can cause damage even if it never ships in runtime, because install-time scripts can target developer laptops or CI runners. Two malicious releases, axios@1.14.1 and axios@0.30.4, added plain-crypto-js@^4.2.1, which runs a postinstall script (node setup.js). The loader is obfuscated, fingerprints the OS, then calls hxxp://sfrclak[.]com:8000/6202033 (142.11.206[.]73) to fetch an OS-specific second stage: a macOS binary dropped to /Library/Caches/com.apple.act.mond launched via AppleScript/osascript, a Windows PowerShell RAT staged in %TEMP% with persistence at HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\run\\MicrosoftUpdate (and camouflage like C:\\ProgramData\\wt.exe), or a Linux Python loader written to /tmp/ld.py. It also attempts cleanup by removing triggering files and restoring a benign-looking package.json. For teams, the impact mirrors last week’s pipeline guidance: treat dependency updates as incidents until you confirm otherwise, because build hosts and secrets may already be exposed. Recommended actions include downgrading to known-good axios (1.14.0 or earlier; 0.30.3 or earlier), pinning exact versions (avoid ^/~), enforcing with npm overrides, clearing npm cache, reviewing logs for bad versions or plain-crypto-js@4.2.1, rotating secrets if runners may be compromised, and considering npm ci --ignore-scripts (or ignore-scripts=true) where feasible while acknowledging some ecosystems rely on scripts. Microsoft provided hunting guidance (KQL for Defender XDR/Sentinel) for package inventory, suspicious setup.js execution, and outbound traffic to the listed C2, plus IOCs and Defender detection names. In parallel, GitHub’s supply-chain guidance continues last week’s Actions hardening direction: reduce reliance on trust-by-convention (mutable refs, broad secrets) and make workflows more resistant to Trivy-style pivots. It recommends enabling CodeQL scanning for workflow YAML with the Actions query pack, avoiding pull_request_target when possible, pinning third-party actions to full commit SHAs (and treating pin changes as high-risk), and hardening against script injection when interpolating user-controlled values (branch names, PR titles). It also emphasizes replacing long-lived secrets with OIDC federated identity and using “trusted publishing” (OpenSSF-aligned) to improve provenance without embedding publish creds in pipelines. Together, axios plus GitHub workflow guidance continues last week’s “guardrails on default paths” thread: dependency resolution and CI config are core attack surfaces, and a dependable mitigation is minimizing secret exposure while tightening what can run.

Threat research and hunting: stealthy Linux webshells and WhatsApp-delivered Windows chains

Microsoft documented a stealthy Linux hosting technique: PHP webshells that take commands from HTTP cookies instead of query params or POST bodies. This matches last week’s framing that routine-looking traffic can hide execution, so defenses should focus on enforceable controls and observable choke points. Because the trigger is in $_COOKIE, shells can stay dormant under normal browsing and avoid obvious log indicators. Variants include obfuscated loaders that reconstruct function names, write second stages, then include them, and interactive single-file shells gated by a “key” cookie. Persistence often uses cron “self-healing” to recreate loaders (including in cPanel/jailshell contexts) plus permission tweaks that slow cleanup. Detection guidance maps to ops reality: hunt for web server processes spawning shells and tools (base64, curl, wget), pipelines that decode/write .php into web directories, and cron jobs running frequently that write into web paths. Defender for Endpoint on Linux setup and Defender XDR KQL queries are provided. Another Defender post covered a WhatsApp-delivered Windows campaign that starts with a malicious .vbs attachment and ends with unsigned MSI installers used for persistence and remote access. It continues last week’s identity/containment theme: attacker chains blend into normal admin/user behavior, so hunting depends on lineage, metadata, and policy containment. The chain creates hidden folders in C:\\ProgramData, drops renamed legitimate utilities (for example, curl.exe renamed to netapi.dll, bitsadmin.exe renamed to sc.exe), downloads additional VBS from AWS S3/Tencent COS/Backblaze B2, then tampers with UAC-related registry values to reduce prompts while attempting elevation. Final-stage unsigned MSI packages (including “AnyDesk.msi”) blend into typical software installs. A defender tip is detecting renamed binaries via PE metadata mismatches (for example, VersionInfoOriginalFileName), plus KQL hunts for wscript/cscript from suspicious locations, downloader flags, and .vbs/.msi drops tied to renamed utilities. Hardening guidance focuses on ASR rules (obfuscated scripts, low-prevalence executables, blocking VBScript/JavaScript launching downloaded executables), script host restrictions, and enabling EDR-in-block-mode and tamper protection.

GitHub security operations: secret scanning expansion and CodeQL reporting that matches real branching

GitHub security tooling continued shifting from “enable it” to “operate it,” which matches last week’s faster feedback loops (incremental CodeQL in PRs) and tighter control surfaces (push protection exemptions, credential revocation). Secret Scanning added nine detectors across seven providers (including Figma SCIM tokens, LangSmith keys/tokens, PostHog OAuth tokens, Salesforce Marketing Cloud tokens) and added validity checks for npm_access_token so alerts can show whether a token is still active. Push protection also expanded default blocking to more secret types (including Figma SCIM tokens and specific Google/OpenVSX/PostHog patterns) when Secret Scanning is enabled, which reduces the chance secrets land in history. In the context of last week’s “rotate/revoke quickly” theme, the improvement is triage quality: not just “a token exists,” but “it still works.” CodeQL 2.25.0 updates align analysis with current toolchains and improve precision: Swift 6.2.4 support; a rewritten Java/Kotlin control flow graph focusing on reachable nodes; C# support for C# 14 partial constructors; and taint tracking that treats System.Net.WebSockets::ReceiveAsync as a remote source to improve WebSocket findings. JavaScript/TypeScript also gained browser source kinds (browser-url-query, browser-url-fragment, browser-message-event) for teams extending CodeQL models. Along with last week’s incremental PR scanning push, the direction stays consistent: keep scans fast enough for PR loops while improving modeling fidelity. GitHub Security Overview’s CodeQL “pull request insights” now aggregates across all protected branches, not just the default branch, and CSV export matches. This fits last week’s “govern rollouts, reduce drift” framing: teams often ship from release/* and maintenance branches, so default-branch-only reporting undercounts both risk and remediation work. After rollout, dashboards (and Copilot Autofix outcome counts) should better reflect what is being fixed and shipped, though historical numbers may shift.

Security governance in Azure and Microsoft Fabric: admission control, labeling, encryption, and recovery

AKS guidance emphasized where security checks prevent incidents in practice: admission time, not only CI. This matches last week’s “guardrails on execution paths” framing by shifting enforcement from pipelines to cluster-side controls that still apply when someone uses kubectl or when drift accumulates. The approach combines early CI guardrails with Azure Policy for AKS (OPA Gatekeeper) to enforce policies in-cluster. It recommends staged Pod Security Standards rollout (Audit first, then Deny in production namespaces), network policy enforcement to limit lateral movement, and image governance at admission so only approved registries/images run. Runtime coverage comes from Microsoft Defender for Containers (with a reminder that restricted-egress clusters need outbound endpoint planning), while Azure Policy compliance reporting provides continuous audit/drift views across clusters/namespaces. Fabric governance became easier to automate, continuing last week’s “enforceable controls without rewrites” thread plus better API surfaces for inventory/policy. Sensitivity labels are now returned in Fabric Public REST APIs (List Items, Get Item, Update Item), reducing extra per-item metadata calls for inventory/compliance workflows; label updates still use Admin label management endpoints, including Bulk Set/Remove. This supports cleaner label-aware automation patterns, including for AI/agent workflows that must filter access by “Confidential”/“Restricted” classifications, which we highlighted last week with Purview monitoring and governance. Fabric also introduced Item Recovery (preview): item-level soft delete with a workspace recycle bin and tenant-configurable retention (7-90 days), with restore via portal or REST API. This extends last week’s identity/recovery reminders (Entra Backup/Restore) into the analytics plane, because governance also includes practical recovery when mistakes or malicious deletions happen. Beyond undoing deletes for notebooks/pipelines/lakehouses, it supports forensics by restoring artifacts (and their lineage/labels) when audit logs only show create/delete. Fabric preview also allows workspace-level Customer-Managed Keys (CMK) even when the workspace is on a BYOK-enabled capacity, removing a constraint that previously forced capacity splits. The separation remains (BYOK for Power BI semantic models at capacity; workspace CMK for other Fabric items), but it simplifies regulated deployments and key runbooks, complementing last week’s CMK GA for Fabric SQL Database.

Other Security News

Agent security guidance continued shifting from model behavior to enforceable control surfaces, building on last week’s agent-governance focus on intent, identity, and runtime checks. Microsoft mapped the OWASP Top 10 Risks for Agentic Applications (2026) to Copilot Studio guardrails: restrict allowed connectors/actions, apply DLP to limit data movement, use isolation + republishing to prevent runtime self-modification, and ensure operational “kill switch” controls (restrict/disable/stop sharing). A companion governance layer is Agent 365 (preview, GA noted as May 1) as a lifecycle control plane for monitoring and policy enforcement across deployed agents.