Attempts to post the latest Trivy security incident have been marked [dead]

https://news.ycombinator.com/from?site=github.com%2Faquasecurity

78•JoshuaDavid•3h ago

Comments

JoshuaDavid•3h ago

Trivy (a very widely-used security scanner) was recently compromised. Anyone who installed the aquasecurity/trivy-action dependency by tag rather than by sha during a 3 hour period on March 19 was likely compromised. There is a Github security advisory at https://github.com/aquasecurity/trivy/security/advisories/GH...

6 separate people have tried to submit this to HN. All of the submissions are marked as [dead]. I am unsure whether this is a malicious action taken by the actors who compromised trivy or whether it's just the result of prior spam under github.com/aquasecurity, but regardless it is probably not ideal for security advisories to be auto-marked as [dead].

altairprime•1h ago

I emailed this post to the mods (using the footer contact link) on behalf of OP so they have a chance to assess and reply.

tomhow•20m ago

Please just email us (hn@ycombinator.com) when something like this happens.

Moderators didn't see these submissions or if we did, we didn't know why this project or incident was significant or important.

Now we've seen it, we've boosted the first submission of the incident onto the front page, and updated the URL and title to the most up-to-date/complete page about the incident.

The reason the submissions were being killed is that the GitHub account's address had been banned on HN due to previously being submitted by spam bots.

JoshuaDavid•16m ago

Noted and sent. Thanks for all your hard work.

mtmail•2h ago

Looks like the repository URL was marked [dead] for several years, I can't tell why. Best to email the moderator (link in footer).

Big security stories often get republished, one might say reviewed and filtered. For this story I see

opensourcemalware.com - https://news.ycombinator.com/item?id=47449498

stepsecurity.io - https://news.ycombinator.com/item?id=47451081

arstechnica.com - https://news.ycombinator.com/item?id=47464996

and 4 others.

kay_o•2h ago

Looking at https://news.ycombinator.com/from?site=github.com/aquasecuri... around 2024 when the dead started, a spambot ring was repeatedly posting it?

( Make need to turn on "showdead"; to see it in the 2024 they have similar posts .. )

cluckindan•1h ago

Maybe it was intentionally compromised all along.

fragmede•1h ago

Oh that's clever. Use the spambot ring to promote the story so that the story gets marked dead because of that! Instead of hiding the news, use the botnet to promote it and use the system against itself.

Retr0id•57m ago

I've noticed some HN posts get a higher-than-average number of replies from LLM bots. I've wondered if this has a downranking effect due to the upvote/comment ratio, and whether people might be using bots to do this intentionally. Alternatively it could just be that the bots "like" certain keywords more than others.

akerl_•59m ago

Yea, this looks like a lingering auto-moderation on the Github repo URL prefix due to past spam attempts.

tptacek•47m ago

You should just mail hn@ycombinator.com about this stuff.

Or: write a short blog post about it, and post that, on your (different) domain.

gzread•40m ago

What if their goal is more to raise awareness about HN moderation practices than to fix the problem quickly?

It's certainly worked. Lots of people have seen this and now have a slightly worse opinion of HN moderation.

tptacek•31m ago

Probably offset by the people whose opinion of HN moderation will improve as a result of this. Six of one, &c.

tomhow•25m ago

> raise awareness about HN moderation practices

What practices?

Tinybox – Offline AI device 120B parameters

Profiling Hacker News users based on their comments

Professional video editing, right in the browser with WebGPU and WASM

Some things just take time

Boomloom: Think with your hands

Do Not Turn Child Protection into Internet Access Control

Bayesian statistics for confused data scientists

The Impact of AI on Game Dev Jobs. Open to Work Crisis

Grafeo – A fast, lean, embeddable graph database built in Rust

Trivy ecosystem supply chain briefly compromised

Electronics for Kids, 2nd Edition

Show HN: Termcraft – terminal-first 2D sandbox survival in Rust

How Invisalign became the biggest user of 3D printers

Common Lisp Development Tooling

How Ford burned $12B in Brazil (2021)

The paddle wheel aircraft carriers of Lake Michigan

Hide macOS Tahoe's Menu Icons

Welcome to the Block Universe

No evidence cannabis helps anxiety, depression, or PTSD

Ubuntu 26.04 Ends 46 Years of Silent sudo Passwords

Show HN: Atomic – self-hosted, semantically-connected personal knowledge base

Seam carving with forward energy

Floci – A free, open-source local AWS emulator

ZJIT removes redundant object loads and stores

Thinking Fast, Slow, and Artificial: How AI Is Reshaping Human Reasoning

Meta's Omnilingual MT for 1,600 Languages

A Japanese glossary of chopsticks faux pas (2022)

Books of the Century by Le Monde

Mamba-3

Hawaii's worst flooding in 20 years threatens dam, prompts evacuations