RC RANDOM CHAOS

supply chain

39 posts

CVE-2026-31840 blames the encoder, corrupts the decoder heap
Article

CVE-2026-31840 blames the encoder, corrupts the decoder heap

CVE-2026-31840: FFmpeg's AAC path carries a heap out-of-bounds write and UAF. The bug is in the decoder, not the encoder - mechanism, exploitation surface, and telemetry.

Mirai's hardcoded logins still answer on 554
Article

Mirai's hardcoded logins still answer on 554

Open webcams indexed by Shodan and Censys are not a privacy footnote - they map insecure OEM firmware, exposed services, and supply chain risk.

Mythos AI cleared for distribution, no validation report
Article

Mythos AI cleared for distribution, no validation report

REDLINE breaks down the security risk in releasing Mythos AI to trusted US organizations: not the model, the missing adversarial validation and zero prompt-level telemetry.

The device is the inventory
Article

The device is the inventory

Smart TV apps embed residential proxy SDKs that turn devices into exit nodes. The trust failure lives in the build pipeline, not the hardware.

Half of LG TV apps are exit nodes
Article

Half of LG TV apps are exit nodes

Residential proxy SDKs sit in nearly half of LG webOS apps, turning smart TVs into rentable exit nodes LG neither blocks nor detects. The mechanism and telemetry gap.

Stop Killing Games guarantees unpatched network-reachable code
Article

Stop Killing Games guarantees unpatched network-reachable code

Stop Killing Games is preservation law, not a security control. Statute governs publishers; it never patches the memory-corruption bugs attackers exploit.

No mitigations, full code execution
Article

No mitigations, full code execution

Memory corruption in shared embedded firmware components grants attacker code execution at firmware privilege, replicated across hundreds of vendor devices.

Ring 0, fed a stranger's save file
Article

Ring 0, fed a stranger's save file

The US directive suspending Fable 5 and Mythos 5, analyzed: why game clients are privileged code, how asset and netcode bugs work, and why trust is the flaw.

Typosquatted Microsoft AI packages harvest developer credentials
Article

Typosquatted Microsoft AI packages harvest developer credentials

How attackers weaponised typosquatted Microsoft AI tooling to harvest OpenAI, HuggingFace, AWS, and Azure credentials from developer workstations.

Your supply chain isn't compromised. It's working.
Article

Your supply chain isn't compromised. It's working.

Microsoft's open-source developer tools executed credential-stealing code through normal package resolution. The control plane never inspected what was returned.

Antibody catalogs are unsanitized user input
Article

Antibody catalogs are unsanitized user input

Thermo Fisher antibody metadata manipulation is a supply chain attack against bioinformatics pipelines - not a data integrity issue. Here is the mechanism.

Motorola signed its own kill switch
Article

Motorola signed its own kill switch

Motorola's silent firmware push bricked its WiFi router line. The mechanism is identical to AcidRain. Here is what failed and why it repeats.