RC RANDOM CHAOS

supply chain

39 posts

Workflows are code, not config
Article

Workflows are code, not config

CI workflow modification executes under repository trust. The control surface is the file. The boundary is the weakest identity allowed to merge.

The extension on your dock just shipped malware
Article

The extension on your dock just shipped malware

A compromised VSCode extension reached GitHub. Breakdown of the trust boundary that failed and what developer endpoints actually expose.

npm was never a trust boundary
Article

npm was never a trust boundary

Technical analysis of the Shai-Hulud npm supply chain attack hitting 314 packages including echarts-for-react, size-sensor, and timeago.js.

Shai-Hulud worm compromises 314 npm packages
Article

Shai-Hulud worm compromises 314 npm packages

Shai-Hulud npm worm hits 314 more packages via compromised maintainer accounts. Mechanism, telemetry gaps, and residual exposure analyzed.

A handle, a token, a SYSTEM shell
Article

A handle, a token, a SYSTEM shell

MiniPlasma is not a kernel defect. It is the externally visible behaviour of a trust model that confuses reference with verification.

The patch is the payload
Article

The patch is the payload

Three critical Linux kernel LPE findings in two weeks, one introduced by a fix. The defect is the patch pathway, not the bug.

Article

The dashboard pushed every critical CVE to GitHub

Technical analysis of a unified vulnerability dashboard pushed to a public GitHub repo, the scanner token blast radius, and what defenders actually see.

CVE-2026-3854 puts GitHub inside your trust boundary
Article

CVE-2026-3854 puts GitHub inside your trust boundary

CVE-2026-3854 enables RCE on GitHub.com and Enterprise Server. Why platform compromise becomes customer compromise across identity, secrets, and artefacts.

ShinyHunters exfiltrated Cisco source through Trivy
Article

ShinyHunters exfiltrated Cisco source through Trivy

ShinyHunters exfiltrated Cisco source code through Trivy. The scanner inherited the runtime's identity. The runtime held everything.

A postcard breached a warship
Article

A postcard breached a warship

A 5 dollar Bluetooth tracker hidden in a postcard broadcast a 585 million dollar warship's position for 24 hours. The control that failed was classification.

Itron's 8-K names an IT intrusion
Article

Itron's 8-K names an IT intrusion

Itron disclosed an internal IT breach. Technical analysis of attack vectors, supply chain blast radius, and what utility defenders should assume.

The power adapter was the attack
Article

The power adapter was the attack

A WiFi camera concealed in a hotel power adapter transmitted to a foreign server. The boundary failed at the physical layer.