Cloud Reviewer
Blog
Cloud, container, and DevSecOps security — practical guidance from the Cloud Reviewer team.
npm Worm in binding.gyp: Securing CI/CD Pipelines Against Build-Time Supply Chain AttacksA self-propagating npm worm that hijacks node-gyp build scripts represents a new class of supply chain threat — one that activates inside your CI/CD pipeline at container image build time, not at…Read more →
Kubernetes & Container Security: Supply Chain, NGINX, and Linux ThreatsRecent incidents highlight a critical pattern: attackers are exploiting both third-party package ecosystems and core infrastructure components to gain access to container orchestration environments. This requires a shiftRead more →
Gitea Registry Flaw & 2026 Kubernetes Security StrategiesA recent vulnerability in Gitea's container registry allowed unauthenticated access to private images, affecting over 30,000 deployments. This incident highlights the critical need for robust Kubernetes and container secRead more →
Embedding SBOM‑Driven Compliance as Code in CI/CD PipelinesWhen a leaked credential or a malicious npm package can undo months of work, compliance must be baked into the pipeline itself. This article shows how SBOM‑driven, policy‑as‑code controls turn every build into a verifiabRead more →
Lambda Weaponized: Detect AWS C2 Abuse via Taint TracingThe Qualys research details how a malware family they call HazyBeacon abuses AWS Lambda Function URLs as a command-and-control channel, turning a serverless invocation endpoint into a persistent C2…Read more →
Supply Chain Risk in npm: What the Miasma Red Hat Attack Means for Cloud-Native SBOM ComplianceThe discovery of a supply chain attack targeting RedHat npm packages (noted as "Miasma" by Wiz's threat intelligence) confirms what security teams have suspected for years — the JavaScript…Read more →