Comment by jl6
5 days ago
To be clear, this is a supply chain attack on everyone that uses Trivy, not a supply chain attack on Trivy. It was a direct attack on Trivy, exploiting components that Aqua had full control and responsibility for. The term “supply chain attack” has a connotation of “it’s not really my fault, it was my dependencies that got compromised”.
Of course, every entity is ultimately accountable for its own security, including assigning a level of trust to any dependencies, so it’s ultimately no excuse, but getting hit by a supply chain attack does evoke a little more sympathy (“at least I did my bit right”), and I feel like the ambiguous wording of the title is trying to access some of that sympathy.
The term “supply chain attack” has a connotation of “it’s not really my fault, it was my dependencies that got compromised”.
In my experience that is definitely not true, and I've never heard anyone use it that way. Even though you are correct in who the target was.
A supply chain attack is an attack on a provider of a solution that is then deployed further. The issue with a supply chain attack is that the ultimate victim brings in trusted software that was compromised upstream.