supply chain
39 posts
CVE-2026-31840 blames the encoder, corrupts the decoder heap
CVE-2026-31840: FFmpeg's AAC path carries a heap out-of-bounds write and UAF. The bug is in the decoder, not the encoder - mechanism, exploitation surface, and telemetry.
Mirai's hardcoded logins still answer on 554
Open webcams indexed by Shodan and Censys are not a privacy footnote - they map insecure OEM firmware, exposed services, and supply chain risk.
Mythos AI cleared for distribution, no validation report
REDLINE breaks down the security risk in releasing Mythos AI to trusted US organizations: not the model, the missing adversarial validation and zero prompt-level telemetry.
The device is the inventory
Smart TV apps embed residential proxy SDKs that turn devices into exit nodes. The trust failure lives in the build pipeline, not the hardware.
Half of LG TV apps are exit nodes
Residential proxy SDKs sit in nearly half of LG webOS apps, turning smart TVs into rentable exit nodes LG neither blocks nor detects. The mechanism and telemetry gap.
Stop Killing Games guarantees unpatched network-reachable code
Stop Killing Games is preservation law, not a security control. Statute governs publishers; it never patches the memory-corruption bugs attackers exploit.
No mitigations, full code execution
Memory corruption in shared embedded firmware components grants attacker code execution at firmware privilege, replicated across hundreds of vendor devices.
Ring 0, fed a stranger's save file
The US directive suspending Fable 5 and Mythos 5, analyzed: why game clients are privileged code, how asset and netcode bugs work, and why trust is the flaw.
Typosquatted Microsoft AI packages harvest developer credentials
How attackers weaponised typosquatted Microsoft AI tooling to harvest OpenAI, HuggingFace, AWS, and Azure credentials from developer workstations.
Your supply chain isn't compromised. It's working.
Microsoft's open-source developer tools executed credential-stealing code through normal package resolution. The control plane never inspected what was returned.
Antibody catalogs are unsanitized user input
Thermo Fisher antibody metadata manipulation is a supply chain attack against bioinformatics pipelines - not a data integrity issue. Here is the mechanism.
Motorola signed its own kill switch
Motorola's silent firmware push bricked its WiFi router line. The mechanism is identical to AcidRain. Here is what failed and why it repeats.