supply chain security
42 posts
Editorial independence is a failed control
UK media failed to disclose defence sector ties in nearly 60 percent of cases. The disclosure gap is an information supply chain vulnerability - and it is exploitable.
One vendor, one subpoena, one reach
Cloudflare's VoidZero acquisition collapses the vendor boundary between build tooling and edge runtime. Attestation reduces to self-reporting.
Detection is not prevention.
Malicious npm packages reached Red Hat cloud services. The boundary admitted code, then classified it. That sequence defines the failure.
GitHub shipped optional hardening as a control
The GitHub breach follows a documented class of failure. The mechanism is identity issuance separated from validation. The industry chose documentation over enforcement.
Reputation is not a control
Harvard.edu and 140 other domains reported compromised. Why reputation-based controls fail when trusted origins are turned against their consumers.
CISA contractor leaked GovCloud keys to GitHub
Technical analysis of a CISA contractor's leaked AWS GovCloud admin keys on GitHub - blast radius, IAM persistence paths, CloudTrail detections, supply-chain tail.
The router is signing its own logs
Iran's claim about US backdoors in networking equipment describes an exposure pattern already present. The device is an actor, not infrastructure.
The Roblox cheat never touched Roblox
How a Roblox cheat turned into a Vercel supply chain compromise - stealer to stolen token to dependency confusion to persistent build-pipeline access.
Vercel hands attackers your build pipeline
Technical IR playbook for a Vercel CI/CD compromise: attack chain, MITRE ATT&CK mapping, telemetry gaps, containment sequence, and residual exposure.
How Trust Delegation Without Revalidation Creates Systemic Failure
Systems optimized for trust delegation without revalidation create persistent vulnerabilities. When automation assumes ongoing validity from trusted sources, adversaries exploit consistency-without breaking in-to propagate compromise at scale.
axios CVE-2025-3891: What the Advisories Don't Say About Immutable Images
CVE-2025-3891 in axios allows prototype pollution leading to RCE. This post reveals why deployed container images remain at risk even after patching, due to missing artifact provenance and immutable verification.
A Trivy-based CI/CD misconfiguration led to credential exposure in a Cisco-related incident
A review of how a misconfigured Trivy scan in Cisco's CI/CD pipeline led to AWS credential exposure due to unverified post-scan execution. Explores the systemic failure behind treating scanning outputs as trusted signals.