Security reporter focused on supply-chain attacks, package-registry compromises, CVE disclosures, and the slow march toward post-quantum crypto.
CVE-2026-3854 is a CVSS 8.7 RCE in GitHub's git-push pipeline. github.com fixed it within hours. 88% of Enterprise Server installs were still vulnerable at disclosure.
Socket flagged a self-propagating worm in @automagik/genie, pgserve, and 14 sibling Namastex Labs packages. It steals 40 credential categories and republishes itself.
CVE-2026-34621 is an actively exploited Acrobat and Reader bug that runs attacker JavaScript inside the PDF runtime. The first sample hit VirusTotal in November and went unflagged.
Project Lighthouse logged 13 million cellular disruptions from car-mounted IMSI catchers spoofing legitimate towers. Three men face 44 charges in Canada's first SMS-blaster bust.
Microsoft's April 8 Patch Tuesday closes 167 CVEs. CVE-2026-32201 in SharePoint is being exploited and CISA added it the same day. Here's what to patch first.
SGLang's reranker renders chat templates without a sandbox. Load a hostile GGUF, hit /v1/rerank, and the attacker has Python on your inference box. No patch yet.
Werner Koch shipped GnuPG 2.5.19 on April 24 with FIPS-203 ML-KEM, the first stable post-quantum encryption algorithm in OpenPGP. Here's what changed and what didn't.
Aikido found a stage-2 Go binary inside two health-check-themed packages that runs an OpenAI-compatible router routing Claude, GPT, and Gemini traffic through Chinese aggregators.
A malicious @bitwarden/[email protected] hit npm on April 22. The payload steals npm tokens, cloud secrets, and Claude Code credentials, then self-replicates.
CVE-2026-40372 lets attackers forge auth cookies on .NET 10.0.6 apps on Linux and macOS. The fix is 10.0.7. Here's what broke, who's exposed, and how to patch.
GHSA-xq3m-2v4x-88gg hits protobuf.js ≤8.0.0 / ≤7.5.4. Attacker-controlled schemas executed arbitrary JS on decode. One-line fix patched it.
IEEE S&P 2026 papers extend GPUHammer with GeForge, GDDRHammer, and GPUBreach. They flip GDDR6 bits to break out of the GPU and own the host.
A Context.ai compromise let attackers take over a Vercel employee's Google Workspace. Non-sensitive env vars were exposed, and a ShinyHunters persona is asking $2M.
Attackers force-pushed 75 of 76 trivy-action tags to a malicious commit. Pinning by tag turned a trusted scanner into an infostealer for CI pipelines.
Google's security team says cryptographically-relevant quantum computers could arrive by 2029, six years before the NSA's 2031 deadline. What to migrate, and in what order.