SECURITYWEEK reports that build application firewalls (BAFs) inspect runtime behaviour inside the software build pipeline rather than merely scanning code, with InvisiRisk’s BAF designed to enforce policy during the build. It notes the SolarWinds supply chain attack of 2020 affected around 18,000 organisations and that the same attack style has recurred in recent incidents, underscoring the need for deeper protection of CI/CD workflows.
In March 2026, North Korean actors hijacked an Axios npm library maintainer’s account and published two malicious versions, which were believed to have been downloaded by around 3% of Axios users before removal, delivering a remote access Trojan via CI/CD. Separately, in February/March 2026, TeamPCP compromised Aqua’s Trivy, BerriAI’s LiteLLM and Checkmarx/kics to breach CI/CDs, with Mercor later announcing it was among thousands of companies impacted by LiteLLM-related activity on 31 March.
The article highlights that traditional scanners can miss zero-day risks and insider-type threats, and that SBOMs are increasingly required for software sales, though their quality varies. It also explains that hardened runners only see DNS, whereas the BAF’s deep packet inspection can reveal where confidential data travels, and that the system can stop activities that are not precisely as expected. 11 May 2026.