Sign in Subscribe
Self-Hosted Weekly

Self-Hosted Weekly: Week 15, 2026. Trivy Breach Hits the EU, Linux 7.0 Incoming, and Nix Gets a CVSS 9

Michael Soto

5 min read
Self-Hosted Weekly: Week 15, 2026. Trivy Breach Hits the EU, Linux 7.0 Incoming, and Nix Gets a CVSS 9

This was the week the open-source supply chain broke in the most spectacular way possible. A poisoned version of Trivy — the vulnerability scanner half the industry trusts to keep them safe — gave attackers the keys to the European Commission's cloud. Meanwhile, Linux 7.0 is days away, OpenSSH patched a shell injection flaw, and Nix got hit with a CVSS 9 privilege escalation. Buckle up.

1. Trivy Supply Chain Attack Breaches the European Commission

This is the story of the week, and possibly the year. On March 19, attackers from TeamPCP compromised Aqua Security's Trivy — one of the most widely-used open-source vulnerability scanners — and pushed a malicious update (v0.69.4). The European Commission downloaded it through normal update channels.

The poisoned Trivy stole an AWS API key that functioned as a master key across the Commission's cloud infrastructure. The result? ShinyHunters published 340GB of stolen data from up to 71 EU entities — personal data, contracts, emails, and military financing documents.

It gets worse. TeamPCP didn't stop at Trivy. They targeted Checkmarx KICS (force-pushing malicious commits to all 35 version tags) and then pivoted to LiteLLM, an AI gateway tool whose CI/CD pipeline used Trivy for scanning.

Hot take: The tool you use to find vulnerabilities became the vulnerability. This is the nightmare scenario that supply chain security researchers have been warning about for years. If your security scanner gets compromised, everything downstream is exposed. Expect a massive push for reproducible builds, signed releases, and SLSA compliance in the coming months.

2. Linux Kernel 7.0 RC7 — Final Release Days Away

Linus Torvalds released Linux 7.0-rc7 on April 5, confirming the stable release is on track for April 12. The major version bump (from 6.19 to 7.0) is cosmetic — Torvalds ran out of fingers and toes — but the release itself is significant: improved docs for AI agents, WiFi driver performance fixes, and the culmination of the 6.x era.

Ubuntu 26.04 LTS hopes to ship with kernel 7.0 as its default.

Hot take: The version number is meaningless (Linus said so himself), but the timing matters. Linux 7.0 landing just as AI workloads explode means this kernel is the foundation for the next wave of self-hosted AI infrastructure. If you're running Ollama or GPU workloads on bare metal, pay attention to the stable release.

3. OpenSSH 10.3 Patches Shell Injection and Four Other Flaws

OpenSSH 10.3 dropped on April 2 with fixes for five security bugs, including a shell injection vulnerability where user names with shell metacharacters could execute arbitrary commands through %-tokens in ssh_config.

Other fixes: ECDSA enforcement, certificate principal matching, PKCS#11 PIN entry, and FIDO/WebAuthn handling. Plus a nice hardening change — agent listener sockets now live under ~/.ssh/agent instead of /tmp, reducing ambient access risks.

Hot take: The shell injection fix is subtle but nasty. If you're running SSH with Match exec blocks and user-controlled input, you were vulnerable. Update immediately — this affects every Linux server you manage.

4. Nix Package Manager Hit With CVSS 9 Privilege Escalation

CVE-2026-39860 is a critical privilege escalation in Nix that lets local users overwrite arbitrary files as root. The irony? It's a bug in the fix for a previous vulnerability (CVE-2024-27297). A malicious derivation builder can create a symlink that the Nix daemon follows during output registration, overwriting sensitive host files.

Affects all Nix versions on multi-user Linux installations. Patched in 2.34.5 and backported across six older release branches.

Hot take: NixOS has been gaining serious momentum as a reproducible infrastructure platform. A root privilege escalation — especially one that's a regression from a previous fix — is a trust hit the project didn't need. The good news: the response was fast and the patch coverage is thorough.

5. OpenCTI Arbitrary Code Execution (CVSS 9.1)

CVE-2026-39980 hits OpenCTI, the popular open-source cyber threat intelligence platform. Authenticated users with certain capabilities can execute arbitrary JavaScript code on the server. Fixed in version 6.9.5.

Hot take: When your threat intelligence platform becomes the threat, you've got a problem. If you're running OpenCTI self-hosted, upgrade to 6.9.5 immediately.

6. Kubernetes 1.36 Doc Freeze — gitRepo Plugin Gone Forever

The Kubernetes 1.36 doc freeze hit on April 9, locking in the feature list for the April 22 release. Headlines: OCI VolumeSource goes stable, user namespaces in Pods go stable, and the gitRepo volume plugin is permanently disabled to fix a critical vulnerability that allowed root code execution on nodes.

New alpha features focus on AI/ML workload preemption, sharded API streams for large clusters, and deeper Dynamic Resource Allocation integration.

Hot take: The gitRepo removal is the right call — it was a security liability that nobody should have been using in production anyway. The AI/ML scheduling improvements signal that Kubernetes is serious about being the platform for GPU workloads, not just web apps.

7. Reflection AI Raises $2.5B for Open-Source Frontier Models

Nvidia-backed Reflection AI entered talks to raise $2.5B at a $25B valuation to build open-source frontier models, positioning itself as America's answer to DeepSeek. Meanwhile, Nexthop AI raised $500M for open-source networking infrastructure purpose-built for AI data center fabrics.

Hot take: $3B in a single week flowing into open-source AI infrastructure. The bet is clear: open models win the ecosystem war, and the network layer connecting GPU clusters is the next bottleneck. Self-hosters who invested early in tools like Ollama and Open WebUI are about to benefit from a tsunami of model improvements.

8. Canonical LXD Project Restriction Bypass (CVSS 9.1)

CVE-2026-34178 lets authenticated remote attackers bypass project restrictions in LXD during backup import. Published April 9, affects LXD versions before 6.8. If you're running multi-tenant LXD environments, patch now.

Hot take: LXD project restrictions exist specifically for multi-tenant isolation. A bypass via backup import is a creative attack vector that most security reviews wouldn't catch. Another reminder that backup and restore paths are often the weakest link in container security.

What We're Watching Next Week

  • Linux Kernel 7.0 stable release (expected April 12) — the biggest kernel event in years
  • Kubernetes 1.36 release (April 22) — approaching fast
  • Trivy post-mortem and industry response — expect new signing/verification requirements across the ecosystem
  • Open Source Endowment first grant criteria — Q2 deadline approaching

The Bottom Line

This week's theme? Trust. The Trivy breach proved that trust in your security tools is itself an attack surface. The Nix CVE showed that fixes can introduce new vulnerabilities. The OpenSSH patch reminded us that even 25-year-old software has hidden injection vectors. And the LXD bypass demonstrated that backup paths are security boundaries too.

On the bright side: $3B flowing into open-source AI infrastructure, Linux 7.0 arriving on schedule, and Kubernetes 1.36 maturing GPU workload support. The ecosystem is simultaneously more powerful and more under attack than ever.

Patch everything. Trust nothing. See you next Friday.

Thanks for reading ❤️ See you in the next one 👋

Sign up for more like this.

Enter your email
Subscribe