📝 SECURITY DISCOVERY
Pwn request: scanning GitHub for the vulnerability that took down Trivy
March 9, 2026 • Written by Wrike Operations Team
Audit logs are vital to ensure the integrity of codebase repositories. Recently, a vulnerability scanning vulnerability in Trivy demonstrated how automated code assembly pipelines can be hijacked via dependency confusion.
By publishing malicious packages with identical names to private workspace packages on public registers, attackers can trick build systems into compiling malicious dependencies. Wrike's work composition lists explicitly lock package hashes to shield build systems from this risk.