## Atomic Insight **CI/CD pipelines implicitly trust their inputs — tools, dependencies, artifacts — and that trust is the attack surface.** In a 12-day window (March 19-31, 2026), one actor (TeamPCP) exploited it four times against tools with hundreds of millions of downloads: Trivy (76/77 version tags force-pushed malicious, CVE-2026-33634), Checkmarx KICS, LiteLLM (backdoored via credentials harvested from its own Trivy-using pipeline), and axios (both release branches compromised within 39 minutes). Three recurring attack patterns, each with a control: | Pattern | Control | | ---------------------------------------------------- | -------------------------------------------------------------------------- | | Poisoned tools/actions via mutable version tags | Pin to immutable references (commit SHAs, image digests); verify checksums | | Packaging misconfigurations shipping debug artifacts | Allowlist validation + size gates before publish | | Transitive dependency compromise via lockfile | Compare checksums against known-good state; detect undeclared dependencies | The structural defense is mandatory, immutable pipeline jobs that verify integrity before execution (GitLab Pipeline Execution Policies) — policy the pipeline cannot opt out of, rather than per-project YAML hygiene. The LiteLLM case is the sharpest lesson: a security scanner became the attack vector, and the compromise cascaded — security tooling sits inside the trust boundary it is supposed to defend. --- *Source: [[Pipeline Security Lessons March 2026 Incidents - GitLab Blog 20250407]] (Grant Hickman, GitLab Blog, 2026-04-07; full capture archived)*