Open-source security scanners are the latest targets for supply-chain attack actors.

Aqua Security, the company that maintains Trivy, an open-source vulnerability scanner, was reportedly targeted by a hacker group known as TeamPCP on March 19. The threat actors injected credential-stealing malware into Trivy through GitHub Actions and container images, cloud security company Wiz shared in a post.

Cory Michal, VP of security at SaaS company AppOmni, told IT Brew that, because Trivy is commonly used in software-development pipelines to check for vulnerabilities before pushing to production, attackers can access and steal code at a sensitive point in the development process.

“This [malware] got pushed to thousands of organizations, a lot of open-source projects, things like that,” Michal said. “What happened is, when that code ran in their build pipeline, it stole all those credentials. Now the attacker is going through and leveraging those credentials.”

What developers need to do next.—CN

Fraudsters want to be you so bad.

Cybersecurity pros have been sounding the alarm about cyberattackers’ ability to use AI tools, including deepfakes, to create fake documents, photographs, and video. In many cases, attackers use these assets to sidestep financial institutions’ security and steal funds.

To fight the deepfakes, Jeremy Grant, coordinator of the Better Identity Coalition, sees value in a modern take on a familiar document—one that NIST recently called “emerging” and that GenAI can’t easily duplicate: a mobile driver’s license, or mDL, digitally signed.

“One thing that GenAI can’t spoof is possession of a private cryptographic key,” Grant told us.

Can mDLs pass the test?—BH

Public cloud: These clouds offer internet-connected services like storage, servers, and even emerging-tech services such as machine learning, so an IT pro can carry out whatever cloud-based activities they need without having to do all the setup themselves. Learn more.

The Veterans Health Administration (VHA) isn’t embracing the slacker lifestyle—the Department of Veterans Affairs’ sprawling healthcare system doesn’t have time for that—but it does plan on using Slack to make its operations more efficient.

Specifically, the VHA announced a partnership with Salesforce to roll out Slack in March for its healthcare environments, right before it resumes its electronic health record (EHR) modernization rollout. The agency is now live with several of the new capabilities, with more rolling out in the coming weeks and months, Kara Sibbern, corporate communications manager at Salesforce, wrote in an email to IT Brew.

According to Josh Geiger, senior advisor to the COO at the VHA, the partnership could increase efficiency through pulling information together in one, centralized location.

Meanwhile, Salesforce claims that using Slack as an agentic operating system—i.e., a platform for managing multiple AI agents—will help healthcare professionals identify urgent improvement areas, summarize chat histories, and upload real-time information through mobile devices, among other improvements. Sibbern wrote that Slack is able to monitor metrics, detect issues, and automatically assemble people and context without humans needing to initiate every step.

The VA has had its modernization struggles.—CN