great find, irony of a security scanner being the attack vector is brutal. For those who havent read it: attackers poisoned Trivy(widely used vulnerability scanner), which gave them a static AWS API Key from the EC's CI pipeline, leading to 92GB of stolen data across 30+ EU entities. The root cause is painfully common: long-lived API keys with broad access sitting in CI/CD pipelines that nobody revisits after setup. most orgs treat pipeline creds as a on-time config, not an ongoing security surface.