How Trust in Open-Source Updates Becomes a Systemic Failure Mode

Cisco’s CI/CD pipeline fetched a Trivy release from a public container registry, executed it, and propagated the pipeline’s AWS credential scope to the artifact’s runtime environment. Three hundred private repositories were cloned. The build system produced this outcome by operating exactly as configured: resolve a version coordinate, pull the matching artifact, execute it.

The original assumption was that a version coordinate in a public registry is a stable reference to fixed content. If a tool had been executed safely at a given version, future executions of that same version would produce equivalent behavior. Trust was not attached to content - it was attached to the coordinate. The system did not hold a validated copy of the artifact; it held a pointer, and it treated the pointer as a guarantee.

What changed was not the pipeline and not the attacker’s capability. What changed was the validity of the assumption that a version coordinate maps to immutable content. The registry artifact at the referenced coordinate was replaced. The system’s pointer now resolved to different content than it had resolved to on first trusted execution. The system had no mechanism to detect the discrepancy because it had never measured the gap between a reference and what the reference resolved to.

The mechanism of failure was reference substituted for validation at every execution step. No checksum comparison against a prior known-good artifact hash occurred before execution. No cryptographic signature over the artifact content was verified against a trusted public key. The pipeline’s credential scope - AWS keys with repository access - was passed to whatever artifact the registry returned for the configured version string. When the artifact’s content changed, the credential exposure changed with it, automatically and silently, because the pipeline’s trust model contained no state that could have distinguished the compromised artifact from the original.

The same mechanism operates across the dependency execution surface. Terraform’s module resolution fetches source at apply time from a registry or VCS path; without explicit hash pinning in a lockfile and enforced signature verification, the module content is trusted by location and version tag alone. The 2021 compromise of the ua-parser-js npm package demonstrated the same failure class: a published release at a version coordinate that had been safe was replaced with a credential-harvesting payload, and consuming pipelines executed it because they evaluated the coordinate, not the content. The attack surface in every case is the delta between the reference and what it resolves to - a delta that automated build systems are architecturally configured to ignore.

The Cisco pipeline did not malfunction. It fetched an artifact that matched its configured version string and executed it with the permissions it had been granted. The property that had made prior executions safe - content identity between the coordinate and a known-good binary - was not a property the system tracked, enforced, or even measured. When that property expired, the system had no record of it ever having existed. It continued executing.