devtake.dev
AI Security Hardware Open Source Policy Apple

#supply-chain

RSS

Supply-chain attacks, typosquatting, dependency compromises, and the ecosystem response.

Related: #security · 22 #credential-theft · 14 #ai-security · 7 #dev-tools · 6 #github · 6 #npm · 6 #rce · 6 #anthropic · 4 #china · 4 #malware · 4
A Renault electric powertrain unit, the kind that uses a wound-rotor motor with no rare-earth magnets
Hardware·

Renault ditched rare-earth magnets in its EVs in 2012. China's export squeeze made that look smart

A Renault explainer on rare-earth-free EV motors hit Hacker News. Here's how electric cars run without the magnets China controls, and who's shipping them.

Cargo loader moving freight onto an aircraft, a stand-in for the software supply chain
Security·

Red Hat's npm namespace and Arch's AUR were both backdoored within two weeks of each other

A worm hijacked Red Hat's npm namespace, a rootkit spread through 1,500 Arch AUR packages, and a SOC 2-certified AI gateway shipped malware. Registries are under fire.

Rows of server racks inside a data center, the kind of infrastructure that runs Starlette-based AI agent endpoints
Security·

One bad Host header bypassed auth in Starlette, the routing core under millions of AI agents

A flaw in Starlette, downloaded 325M times a week, let a single Host-header character bypass path-based auth across FastAPI, vLLM, and MCP servers.

Visual Studio Code logo on a dark background
Security·

VS Code's webview sandbox leaks GitHub tokens that read and write every private repo

A disclosed VS Code zero-day lets one click on a malicious github.dev notebook steal a GitHub OAuth token with full read-write access to every private repo.

A consumer M.2 solid-state drive, the kind of storage the FROST attack times from a browser tab
Web·

A browser SSD timing trick can fingerprint your browsing, and cookies won't stop it

Graz researchers built FROST, a browser side-channel that times SSD activity to guess which sites and apps you're running. Here's how it works and what helps.

Minecraft promotional artwork accompanying coverage of the WeedHack malware campaign
Gaming·

116,000 Minecraft PCs got infected by fake mods. The 'WeedHack' stealer is free to anyone.

McAfee says a free malware-as-a-service stealer called WeedHack has hit 116,000+ Minecraft systems via fake mods and cheats. Here's what it grabs and how to clean up.

GitHub and Windows security composite with a warning overlay
Security·

GitHub banned the researcher dropping Windows zero-days. The code was already mirrored everywhere.

GitHub wiped Nightmare-Eclipse's account on May 23 after weeks of unpatched Windows exploits. The ban reopened the oldest fight in security: who decides what research gets hosted?

Anthropic Project Glasswing announcement card with glasswing butterfly motif.
AI·

Anthropic's Glasswing logged 10,000 vulnerabilities in a month. Most are still waiting on a patch.

Anthropic says Project Glasswing's first month produced over 10,000 critical-and-high-severity vulns. Verification and patching is the limiting step.

GitHub security blog header showing the GitHub Octocat logo on a backdrop of black security blocks.
Security·

GitHub's internal repos were breached. The attacker came in through a poisoned VS Code extension.

GitHub detected the intrusion on May 18 after a malicious VS Code extension compromised an employee's device. The attacker claims to have exfiltrated 3,800 internal repositories.

CISA logo and seal of the U.S. Cybersecurity and Infrastructure Security Agency
Security·

A CISA contractor left GovCloud admin keys on public GitHub. The file was named 'Important AWS Tokens.txt'.

GitGuardian found a public CISA repo with 844 MB of secrets, including AWS GovCloud admin keys. The repo sat open for six months.

An illustration of the Claude Code deeplink vulnerability, showing a malicious URL handler triggering a shell prompt.
Security·

A bad command-line parser turned every claude-cli:// link into a remote shell

Joernchen of 0day.click found a deeplink RCE in Claude Code. Anthropic shipped the fix in 2.1.118 the same week.

A technician at a server rack with a laptop, standing in for the SQL infrastructure Opexus ran for 45 federal agencies.
Security·

Twin contractors deleted 96 federal databases in 56 minutes. One asked an AI how to clear the logs.

A federal jury convicted Sohaib Akhter on May 7 of wiping 96 government databases at Opexus. His twin Muneeb queried an AI: 'how do I clear system logs from SQL servers.'

TanStack website header with logo
Security·

TanStack published its npm supply-chain postmortem. The attack chained three GitHub Actions flaws.

Attackers compromised 42 TanStack packages through a pull_request_target exploit, cache poisoning, and OIDC token theft. An external researcher caught it in 20 minutes.

Illustration accompanying ChinaTalk's investigation into grey-market Claude API proxy networks
AI·

Chinese proxy networks sell Claude API access at 90% off. They harvest every prompt that passes through.

A ChinaTalk investigation reveals how 'transfer stations' resell Anthropic API access using stolen credentials, model substitution, and prompt harvesting.

Abstract visualization of data exposure through code
Security·

380,000 vibe-coded apps are sitting on the open web. 5,000 of them are leaking real data.

RedAccess found that AI coding tools like Lovable, Base44, and Replit default to public hosting, leaving medical records, bank internals, and corporate secrets indexed by Google.

Illustration of students affected by a cybersecurity breach
Security·

ShinyHunters hit Canvas LMS for the second time. 275 million student records, 9,000 schools.

ShinyHunters breached Canvas LMS again, claiming 275 million records from 9,000 schools. Names, emails, student IDs, and private messages exposed.

Abstract Kaspersky illustration of a tampered software disk for the DAEMON Tools supply chain attack writeup
Security·

DAEMON Tools shipped a signed backdoor for almost a month. Kaspersky says one school in Russia got the second stage.

Kaspersky pinned a supply-chain attack on the DAEMON Tools installer dating to April 8. Thousands hit globally, dozens upgraded to a QUIC RAT implant via signed binaries.

Electronic certification testing equipment in a lab
Policy·

FCC just voted to bar Chinese labs from certifying US electronics. 75% of devices are tested there now.

Brendan Carr's FCC advanced the 'Bad Labs' rule on April 30 in a 3-0 vote, kicking off a 60-90 day comment period. The rule covers 126 labs in China and Hong Kong.