supply chain
7 posts
CVE-2026-3854 puts GitHub inside your trust boundary
CVE-2026-3854 enables RCE on GitHub.com and Enterprise Server. Why platform compromise becomes customer compromise across identity, secrets, and artefacts.
ShinyHunters exfiltrated Cisco source through Trivy
ShinyHunters exfiltrated Cisco source code through Trivy. The scanner inherited the runtime's identity. The runtime held everything.
A postcard breached a warship
A 5 dollar Bluetooth tracker hidden in a postcard broadcast a 585 million dollar warship's position for 24 hours. The control that failed was classification.
The power adapter was the attack
A WiFi camera concealed in a hotel power adapter transmitted to a foreign server. The boundary failed at the physical layer.
Your security scanner is the breach.
Cisco source code stolen, AWS keys breached, 300 repositories cloned. The exfiltration channel was Trivy operating inside Cisco's CI pipeline.
Claude Desktop installs silent macOS persistence
macOS grants signed apps install-time trust, then stops validating. Persistence lives in that gap. The trust model is the exposure.
Your Phone Is Nation-State Inventory
UK confirms 100 countries hold mobile spyware. The handset trust model has failed. Identity is the boundary, not the device.