Beyond SLSA: How to Stop Zero-Click CI/CD Worms with a 9-Step Plan
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Advanced CI/CD security patterns with a concrete plan, highly relevant to platform engineering and DevEx.
Six autonomous CI/CD worm campaigns between late 2025 and mid-2026 have rendered traditional supply chain security like SLSA Level 3 and container scanning insufficient, as adversaries now target pre-build developer environments and agentic AI contexts. The IX Hexbreaker Aegis Framework proposes a 9-step active defense architecture to sanitize local IDEs, lock down AI coding agents, and stop self-replicating worms that steal credentials and pipeline caches before any container image is built. Key campaigns include Shai-Hulud 2.0's preinstall execution and Bun-based evasion, Mini Shai-Hulud's weaponization of AI settings for IDE persistence, and the TanStack cache poisoning incident (CVE-2026-45321) that commandeered GitHub Actions pipelines.