⚡ Speed Kills (Your Security) — The CI/CD Dilemma Nobody Wants to Have
- corporatesurvivord
- May 17
- 3 min read

CI/CD pipelines were built on a beautiful promise: ship faster, break less, compete harder. And for the most part, they delivered — turning weeks of release cycles into hours. Businesses loved it, developers loved it, and competitors feared it. Then attackers figured something out. The fastest road into your organisation isn't through your firewall. It's through your pipeline.
How the Attack Actually Works
When a developer runs something as mundane as npm install, the pipeline automatically pulls the latest version of a dependency in the background. That package may have been updated overnight — not by its original author, but by an attacker who compromised the maintainer's account and quietly slipped in malicious code. The code executes during installation, before your tests run, before your security scans kick in, before any human has a chance to look. By the time your morning standup begins, credentials may already be harvested and your cloud environment already probed.
This is exactly what happened with the Axios attack in early 2026 — one of the most widely used JavaScript libraries in the world, trusted by millions, compromised through a single maintainer's account and distributed automatically to every pipeline that pulled an update that day.
The Real Tension
CI/CD pipelines are designed to remove friction, and every approval gate or manual check is friction. But friction is also what catches attackers.
You're not just automating efficiency. You're automating "blind faith."
Think of it like a restaurant kitchen that automatically restocks ingredients from its usual supplier without any checks, because the supplier has always been reliable. One day, the delivery gets tampered with — but the packaging looks the same, the invoice looks the same, and the kitchen doesn't inspect. The ingredient goes straight into the pot. A smart kitchen builds in spot checks and a head chef who signs off on anything new. It doesn't stop the kitchen from running fast; it just means nobody gets food poisoning.
So What Should Companies Actually Do?
The answer isn't "slow everything down." That's not a strategy — that's surrender.
The answer is graduated trust — different lanes for different levels of risk.
🟢 Fast Lane — Low scrutiny, high trust
Internal packages your team owns and controls. No external dependencies. Auto-deploy freely.
🟡 Middle Lane — Verified, then automated
Well-established open-source packages with long track records, active communities, and no recent unusual activity. Pin to a specific version. Don't auto-pull updates. Update on a scheduled, reviewed cycle — not automatically.
🔴 Slow Lane — Human in the loop, always
New packages being introduced for the first time. Packages with recent maintainer changes. Anything touching authentication, payments, or data handling. These get a deliberate review before they go anywhere near production.
The Governance Conversation
For risk leaders, this isn't an IT problem to delegate. When engineering says "we need to move fast" and security says "we need to move carefully," the organisation needs a written, agreed answer to what good enough actually looks like — one that reflects your real risk appetite and gets revisited every time you onboard a new tool or vendor. Speed without governance is a liability waiting to be triggered, and governance without speed is a business waiting to be disrupted. The sweet spot has to be designed, not assumed.
What This Means for Singapore
Singapore companies — especially in finance, logistics, and tech — often run lean engineering teams that rely heavily on open-source tooling to stay competitive, which means the attack surface is frequently larger than leadership realises. The question to ask your team today is simple: do you know every open-source package running in production, whether your dependencies are pinned or auto-updating, and whether there's a human approval gate before any new third-party package enters your pipeline? If more than one of those answers is uncertain, that's where to start.
The companies that get this right aren't the ones that slow down — they're the ones that know exactly where to be fast and where to be deliberate.


Comments