Helm APT Mirror Supply Chain Risk
The Helm Security Team published a notice about baltocdn.com, a former community-maintained Debian and Ubuntu APT mirror for Helm. The mirror was decommissioned in September 2025, then the domain was re-registered by a third party on May 19, 2026. Helm says any continued use of that domain is now a potential supply-chain risk.
What Changed
For years, many install snippets pointed Debian and Ubuntu systems at baltocdn.com for Helm packages. That endpoint is no longer a Helm APT mirror. Helm's current APT repository is hosted at packages.buildkite.com/helm-linux/helm-debian.
This matters because old package repository URLs often live longer than anyone expects. They hide in Dockerfiles, golden images, bootstrap scripts, Terraform user data, CI jobs, runbooks, and internal wiki pages. A domain that once looked trusted can become attacker-controlled infrastructure if old automation keeps reaching it.
Who Should Audit
Audit anything that installs or updates Helm through APT:
- Debian and Ubuntu hosts
- CI runners and build containers
- Kubernetes node bootstrap scripts
- Packer and image-builder templates
- Configuration management roles
- Internal developer platform documentation
Helm recommends treating any system that executed binaries sourced from baltocdn.com after May 19, 2026 as potentially compromised.
Fast Repo Search
Start with source control. Search for the domain, old Helm APT source files, and install snippets that may still write to /etc/apt/sources.list.d.
rg -n "baltocdn\\.com|helm-stable|helm.*apt|apt.*helm" .
For container images and CI definitions, also search generated assets and ignored files when your checkout has them:
rg -n --hidden --glob '!node_modules' "baltocdn\\.com|helm-stable" .
Fleet Checks
On Debian or Ubuntu hosts, check APT source files directly:
grep -R "baltocdn.com" /etc/apt/sources.list /etc/apt/sources.list.d 2>/dev/null
If you find a match, remove it and replace the configuration with Helm's current APT instructions from the official install guide. The current repository is:
https://packages.buildkite.com/helm-linux/helm-debian
Then refresh package metadata and verify the installed Helm binary version and origin through your normal asset inventory.
Incident Response Notes
If a host, CI runner, or image build pulled Helm from baltocdn.com after May 19, isolate it like any other suspected supply-chain event. Preserve logs, rotate credentials exposed to that environment, rebuild from known-good base images, and review outbound connections during the install window.
For prevention, block baltocdn.com at the proxy or firewall. Helm says the domain is decommissioned and no longer needed for legitimate Helm workflows, so blocking it should not break healthy automation.
Conclusion
This is a small but sharp reminder that package repositories are part of production infrastructure. Old domains, old snippets, and old base images can quietly become active risk. Search for baltocdn.com, migrate Helm APT installs to the current repository, and treat any recent execution from the old mirror as an incident trigger.
Need faster incident response for Kubernetes and infrastructure changes? Akmatori helps SRE teams detect, explain, and resolve production issues with AI agents built for operations. Akmatori runs on Gcore infrastructure for reliable global performance.