When the build tool, the GitHub Action, and sudo are the vulnerability

A distinct slice of the catalog isn’t applications or appliances; it’s the developer tooling and shared dependencies underneath everything else, the GitHub Actions, the build tools, the command-line utilities, the libraries that ship inside thousands of products. When these get exploited, the blast radius is the supply chain itself. The recent entries make the category visible.

Poisoned CI/CD components

• tj-actions/changed-files (a widely-used GitHub Action) was compromised in a supply-chain attack: the action was modified to leak CI/CD secrets from the runners of every repository using it, an enormous downstream reach from one trusted dependency. reviewdog/action-setup was implicated in the same campaign. This is the Kaseya/SolarWinds logic applied to the open-source CI ecosystem: compromise one trusted component, reach everyone who depends on it. Pin actions to commit hashes, not tags, and audit third-party actions.

Command-line and system tools

• Sudo CVE-2025-32463 is a local privilege escalation via the --chroot option, on the single most security-critical utility on Linux. 7-Zip had a Mark-of-the-Web bypass (the MotW genre again). Git, GNU Bash, GNU InetUtils, and Notepad++ round out the system/CLI tools, the utilities present on nearly every developer and server machine, where a bug is broadly exposed.

Shared libraries and runtimes

• FreeType (the font-rendering library embedded in countless systems and apps), Erlang/OTP (whose SSH library had a critical RCE), PHPMailer, jQuery, Vite, Prettier’s eslint-config, React Native CLI, Adminer, and MongoDB are dependencies and frameworks that live inside other software. A flaw in one is a flaw in everything that bundles it, the Log4Shell and ExifTool lesson: your exposure includes your dependencies’ dependencies.

What to do

• Build a software bill of materials (SBOM) and dependency inventory. You cannot respond to a FreeType or Erlang/OTP bug if you don’t know what bundles it. This is the durable, repeated lesson of the dependency entries.
• Pin and audit CI/CD dependencies. Pin GitHub Actions to full commit SHAs, review third-party actions, scope runner secrets to the minimum, and treat the CI pipeline as production infrastructure.
• Patch system and CLI tools fleet-wide. Sudo, Git, Bash, and 7-Zip are everywhere; keep them current through your package management.
• Track upstream advisories for your stack’s libraries, and have a fast path to rebuild and redeploy when an embedded component is fixed, the Telerik “you own the rebuild” point.
• Reduce trust in the supply chain. Fewer, well-vetted dependencies and actions; verified provenance where available; and least-privilege everywhere a build component runs.

The reframe is to recognize the layer beneath your applications, the build tools, CI components, CLI utilities, and shared libraries, as attack surface in its own right, and increasingly a targeted one. tj-actions showed an attacker can compromise thousands of pipelines through one trusted action; Sudo and FreeType show how a bug in a ubiquitous tool or library reaches everywhere. Inventory your dependencies, pin and audit your CI components, patch your system tools, and treat the supply chain as something you actively defend. We track the developer-tooling and dependency entries closely, because they’re the bugs whose blast radius is everyone downstream.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2025-32463 (Sudo chroot LPE) — 2025
• tj-actions/changed-files supply-chain compromise advisory — 2025
• NVD CVE record search for FreeType / Erlang OTP SSH RCE
• CISA: Defending against software supply chain attacks