<p>This episode of <strong>Ship It Weekly </strong>is about the places where convenience quietly turns into trust.</p><p>Brian revisits the Trivy story by zooming out to the bigger hackerbot-claw GitHub Actions campaign, then gets into the Xygeni tag-poisoning compromise, GitHub’s search high availability rebuild for GitHub Enterprise Server, Windows Server 2025 surfacing duplicate SID problems in cloned images, and the agent-skills ecosystem replaying package supply chain history. Plus: a quick lightning round on GitHub pausing self-hosted runner minimum-version enforcement and March secret scanning updates.</p><p><strong>Links</strong></p><p>OpenSSF advisory on active GitHub Actions exploitation <a target="_blank" rel="noopener noreferrer nofollow" href="https://seclists.org/oss-sec/2026/q1/246">https://seclists.org/oss-sec/2026/q1/246</a></p><p>Xygeni action compromise via tag poisoning <a target="_blank" rel="noopener noreferrer nofollow" href="https://www.stepsecurity.io/blog/xygeni-action-compromised-c2-reverse-shell-backdoor-injected-via-tag-poisoning">https://www.stepsecurity.io/blog/xygeni-action-compromised-c2-reverse-shell-backdoor-injected-via-tag-poisoning</a></p><p>GitHub Enterprise Server search high availability rebuild <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/engineering/architecture-optimization/how-we-rebuilt-the-search-architecture-for-high-availability-in-github-enterprise-server/">https://github.blog/engineering/architecture-optimization/how-we-rebuilt-the-search-architecture-for-high-availability-in-github-enterprise-server/</a></p><p>Microsoft on duplicate SIDs and nongeneralized Windows Server 2025 images <a target="_blank" rel="noopener noreferrer nofollow" href="https://learn.microsoft.com/en-us/troubleshoot/exchange/administration/exchange-server-issues-on-incorrect-windows-server-image">https://learn.microsoft.com/en-us/troubleshoot/exchange/administration/exchange-server-issues-on-incorrect-windows-server-image</a></p><p>Socket on supply chain security for <a target="_blank" rel="noopener noreferrer nofollow" href="http://skills.sh">skills.sh</a> <a target="_blank" rel="noopener noreferrer nofollow" href="https://socket.dev/blog/socket-brings-supply-chain-security-to-skills">https://socket.dev/blog/socket-brings-supply-chain-security-to-skills</a></p><p>Snyk ToxicSkills research <a target="_blank" rel="noopener noreferrer nofollow" href="https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/">https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/</a></p><p>GitHub self-hosted runner minimum version enforcement paused <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/changelog/2026-03-13-self-hosted-runner-minimum-version-enforcement-paused/">https://github.blog/changelog/2026-03-13-self-hosted-runner-minimum-version-enforcement-paused/</a></p><p>GitHub secret scanning pattern updates, March 2026 <a target="_blank" rel="noopener noreferrer nofollow" href="https://github.blog/changelog/2026-03-10-secret-scanning-pattern-updates-march-2026/">https://github.blog/changelog/2026-03-10-secret-scanning-pattern-updates-march-2026/</a></p><p>More episodes and show notes at <a target="_blank" rel="noopener noreferrer nofollow" href="https://shipitweekly.fm">https://shipitweekly.fm</a></p><p>On Call Briefs at <a target="_blank" rel="noopener noreferrer nofollow" href="https://oncallbrief.com">https://oncallbrief.com</a></p>