RC RANDOM CHAOS

supply chain security

42 posts

Sanctioned keylogger, unlocked back end
Article

Sanctioned keylogger, unlocked back end

Meta's exposed employee keystroke telemetry is not an AI story. It is a third-party data-handling failure: T1056.001 collection, an unauthenticated store, T1530 read.

A SQLite underflow, and the flood behind it
Article

A SQLite underflow, and the flood behind it

AI isn't replacing defenders - it's multiplying vulnerability volume, hallucinated dependencies, and synthetic findings. The skill that survives is validation at machine rate.

GitHub's scanners cleared 10,000 trojan repos
Article

GitHub's scanners cleared 10,000 trojan repos

10,000 GitHub repositories distributed trojan malware because platform presence was treated as validation. The control was assumed, not enforced.

Contagious Interview ends at npm install
Article

Contagious Interview ends at npm install

How DPRK actors turn LinkedIn job offers into code execution via npm postinstall hooks, what BeaverTail steals, and why developer endpoints stay blind.

PackageKit waved 1500 packages through unchecked
Article

PackageKit waved 1500 packages through unchecked

Arch Linux calls a 1500-package malware incident contained. An install path that skips verification was never a control, only a delivery channel.

A reverse shell dressed as a Firefox patch
Article

A reverse shell dressed as a Firefox patch

Inside the 2025 AUR compromise: how CHAOS RAT shipped in fake browser packages, why update automation made it worse, and how to audit PKGBUILDs in 30 seconds.

Same commit, two builds, checksums that disagree
Article

Same commit, two builds, checksums that disagree

A commit hash guarantees the repository, not the software. How build pipelines resolve trust once at the reference and inherit it against changed content.

Apple's June 2024 withholding just became standing policy
Article

Apple's June 2024 withholding just became standing policy

Apple's EU Siri withdrawal is an availability failure in centralized AI architecture: one regulatory ruling, one vendor flag, total regional shutdown.

npm v12 flips the breaker on silent installs
Article

npm v12 flips the breaker on silent installs

npm v12 deprecates older versions and hardens security defaults. What the moved enforcement points expose and what must be true before the release lands.

Sixty-three days to patch a forked parser
Article

Sixty-three days to patch a forked parser

Technical breakdown of the FrontierOS RCE: a forked XML parser, an unpatched two-year-old CVE, and the fork-tracking failure that shipped it.

The integration is the attack surface
Article

The integration is the attack surface

Pentagon raised Israeli collection risk to top tier. The technical exposure is supply chain privilege inherited from vendor software, not espionage.

Contractor PAT leaked 270GB of Times source
Article

Contractor PAT leaked 270GB of Times source

The 2024 NYT source code leak was not a credential breach. It was a credential sprawl chain. The mechanism, telemetry gaps, and what still applies.