Podcast

Alice in Supply Chains - Episode 17

May 18, 2026

Episode description:

Episode 17 of the Alice in Supply Chains podcast, with co-hosts Alex Sieira (CTO & Co-founder, Tenchi Security) and Adrian Sanabria (Principal Researcher, The Defenders Initiative), is now live! In this episode, our expert duo deep-dives into the most pressing third-party cyber risk stories from edition 45 of the Alice in Supply Chains Newsletter, exploring how modern cascading breaches are fundamentally changing the defensive landscape.

Show notes:

This month, Adrian and Alex dig into what happens when one breach detonates a chain of others, and why "we have a SOC 2 report" is no defense when the vendor underneath you gets popped. The featured case is Marquis Software Solutions vs SonicWall, where a 2025 breach of SonicWall's MySonicWall cloud backup service gave attackers everything they needed to break into Marquis, drop ransomware, and exfiltrate data on customers of 74 banks and credit unions. Three layers of lawsuits later (consumers suing the banks, banks pressuring Marquis, Marquis now suing SonicWall), Adrian and Alex use the case to make a point about software liability, the absurdity of "as-is" terms in critical infrastructure, and why bare-minimum vendor diligence and self-attestations will surface during discovery as exhibits against you.

Story two is the Trivy supply chain compromise, where TeamPCP turned Aqua Security's open-source container scanner into a credential-harvesting beachhead. After an incomplete credential rotation following an earlier incident, the attackers pushed a malicious binary, dropping an infostealer that ran before the legitimate scan and silently swept GitHub tokens, AWS/GCP/Azure credentials, SSH keys, and Kubernetes tokens out of CI/CD runners and developer machines. The blast radius reached Cisco, the European Commission, Checkmarx, Bitwarden's CLI, LiteLLM, Guesty, S&P Global, and seeded the CanisterWorm npm worm. Alex walks through the "how not to get Trivied" playbook: pin GitHub Actions to commit SHAs, kill long-lived CI/CD credentials in favor of OIDC and ephemeral tokens, compartmentalize CI from CD (ideally on different platforms), shrink your dependency graph, and demand evidence of SAST/SCA and IR practice from every third party whose code ends up in your pipeline.

Resources:

‍

Show Transcript

Watch or listen to full episodes in English

Recent Episodes

DBIR Bonus Episode with special guest Alex Pinto (Verizon Business)

This special bonus episode of Alice in Supply Chains dives into the newly released Verizon Business Data Breach Investigations Report (DBIR) 2026 and what its findings reveal about today’s evolving cybersecurity landscape.

Bonus episode - with guest John Hammond

In this special bonus episode, Adrian and Alexandre are joined by John Hammond, one of cybersecurity’s most recognizable YouTube creators and Senior Principal Security Researcher at Huntress, a cybersecurity company dedicated to protecting businesses of all sizes against modern-day cybercrime, for a deep dive into software supply chain attacks using the recent Axios NPM compromise as a case study.

Episode 16

In this April 2026 episode of Alice in Supply Chains, Adrian and Alexandre cover three stories that weren't on anyone's 2026 bingo card — and all of which land on the TPRM analyst's desk.

View all episodes