supply chain security
42 posts
Sanctioned keylogger, unlocked back end
Meta's exposed employee keystroke telemetry is not an AI story. It is a third-party data-handling failure: T1056.001 collection, an unauthenticated store, T1530 read.
A SQLite underflow, and the flood behind it
AI isn't replacing defenders - it's multiplying vulnerability volume, hallucinated dependencies, and synthetic findings. The skill that survives is validation at machine rate.
GitHub's scanners cleared 10,000 trojan repos
10,000 GitHub repositories distributed trojan malware because platform presence was treated as validation. The control was assumed, not enforced.
Contagious Interview ends at npm install
How DPRK actors turn LinkedIn job offers into code execution via npm postinstall hooks, what BeaverTail steals, and why developer endpoints stay blind.
PackageKit waved 1500 packages through unchecked
Arch Linux calls a 1500-package malware incident contained. An install path that skips verification was never a control, only a delivery channel.
A reverse shell dressed as a Firefox patch
Inside the 2025 AUR compromise: how CHAOS RAT shipped in fake browser packages, why update automation made it worse, and how to audit PKGBUILDs in 30 seconds.
Same commit, two builds, checksums that disagree
A commit hash guarantees the repository, not the software. How build pipelines resolve trust once at the reference and inherit it against changed content.
Apple's June 2024 withholding just became standing policy
Apple's EU Siri withdrawal is an availability failure in centralized AI architecture: one regulatory ruling, one vendor flag, total regional shutdown.
npm v12 flips the breaker on silent installs
npm v12 deprecates older versions and hardens security defaults. What the moved enforcement points expose and what must be true before the release lands.
Sixty-three days to patch a forked parser
Technical breakdown of the FrontierOS RCE: a forked XML parser, an unpatched two-year-old CVE, and the fork-tracking failure that shipped it.
The integration is the attack surface
Pentagon raised Israeli collection risk to top tier. The technical exposure is supply chain privilege inherited from vendor software, not espionage.
Contractor PAT leaked 270GB of Times source
The 2024 NYT source code leak was not a credential breach. It was a credential sprawl chain. The mechanism, telemetry gaps, and what still applies.