supply chain security
42 posts
The rubric graded an empty chair
Brown's AI cheating scandal is not a student failure. It is an assessment system that resolves trust by reference and never revalidates the reality behind it.
A valid go.sum hash proves nothing
Argegy is not a CVE. It's a Go supply chain claim against go-ethereum - module trust, init() execution, T1195, and where telemetry goes blind.
Alibaba bans Claude Code across its engineering org
Alibaba's reported ban on Claude Code is a trust decision, not a CVE. Why an agentic coding tool's sanctioned egress is also its exfiltration path.
crustc ports rustc to C and voids every safety proof
Translating rustc to C strips Rust's compile-time memory-safety guarantees and reopens out-of-bounds writes, UAF, and type confusion in the toolchain.
Spain rips Palantir out of its data pipelines
Spain's Palantir blacklist is a supply chain concentration risk - a privileged vendor data plane mapped to MITRE T1199, and why customer telemetry stays blind.
Log4Shell executed exactly as written
Log4Shell, xz-utils, and Spring4Shell weren't isolated bugs. They were composition failures in systems too deep for anyone to fully read. The disease is complexity.
Your three memory vendors are one vendor
A US lawsuit alleging memory price fixing by Samsung, SK Hynix, and Micron exposes an unverified control: supplier independence assumed, never validated.
Springer Nature unpinned two papers, no log
Springer Nature removed two Max Planck studies. The real exposure is a research supply chain with no integrity log - the same trust gap as CI/CD poisoning.
California registers 3D printers it can't instrument
California's 3D printer registry concentrates reconnaissance data on a fleet of uninstrumented endpoints. The real gap is telemetry and data governance.
No one hacked the NSA
The NSA's Mythos access loss wasn't a breach - it was a control-plane revocation by a third party. A supply chain availability failure with no patch.
Compiling a Rust crate runs the author's code.
crates.io federates all publish identity to GitHub, turning one account takeover into build-time code execution across every downstream Cargo project.
Your build trusts whatever it can find
A build system executed code because a name resolved, not because content was verified. How trust attaches to the reference and outlives the artifact.