Topic

Security & supply chain

Modern breaches rarely come through the front door. They come through a CI runner’s tokens, a tag that got force-pushed overnight, a maintainer account with no 2FA, a protobuf schema that compiles into a Function() call. We track the attacks that hit package registries and build pipelines, the hardware-side exploits that keep escaping from conference slides into production, and the quiet, decade-long migration to post-quantum cryptography that most teams are still pretending isn’t a deadline.

13 articles in this topic

Ubuntu 26.04 LTS Resolute Raccoon desktop with GNOME 50

Open Source·14 hours ago

Ubuntu 26.04 LTS ships Wayland-only, Rust coreutils, and post-quantum SSH by default

Canonical released Ubuntu 26.04 'Resolute Raccoon' on April 23. It's the first LTS without X11, ships kernel 7.0 and GNOME 50, and sets post-quantum SSH on by default.

Bitwarden CLI compromised by the Shai-Hulud npm worm

Security·14 hours ago

Bitwarden CLI got backdoored for 90 minutes. The worm calls itself 'Shai-Hulud: The Third Coming.'

A malicious @bitwarden/[email protected] hit npm on April 22. The payload steals npm tokens, cloud secrets, and Claude Code credentials, then self-replicates.

Microsoft .NET blog post image for the 10.0.7 out-of-band security update

Security·24 hours ago

Microsoft rushed an out-of-band ASP.NET Core patch. If you shipped between April 14 and April 21, you need to rebuild.

CVE-2026-40372 lets attackers forge auth cookies on .NET 10.0.6 apps on Linux and macOS. The fix is 10.0.7. Here's what broke, who's exposed, and how to patch.

Mozilla Firefox 150 security announcement cover graphic

Open Source·2 days ago

Mozilla fixed 271 Firefox bugs that Claude Mythos found. Its own tests caught 22.

Firefox 150 shipped Monday with 271 security fixes from Anthropic's Project Glasswing. Mozilla CTO Bobby Holley says Mythos matches elite human researchers.

GitHub social card for the protobufjs/protobuf.js repository.

Security·3 days ago

protobuf.js RCE: a 52M/week npm package was one bad type name from code execution

GHSA-xq3m-2v4x-88gg hits protobuf.js ≤8.0.0 / ≤7.5.4. Attacker-controlled schemas executed arbitrary JS on decode. One-line fix patched it.

Abstract illustration of memory cells and GPU silicon for a Rowhammer attack story.

Security·3 days ago

GPUHammer grew up: three new Rowhammer attacks take full control of Nvidia machines

IEEE S&P 2026 papers extend GPUHammer with GeForge, GDDRHammer, and GPUBreach. They flip GDDR6 bits to break out of the GPU and own the host.

GitHub OG card for the StarScout research repository from Carnegie Mellon

Open Source·4 days ago

Inside GitHub's fake star economy: 6 million bought stars and how to spot them

A Carnegie Mellon study counted 6 million suspected fake stars across 18,617 GitHub repos. Here's what the StarScout research actually found and how to read a star count now.

Illustration for Anthropic's Project Glasswing, a cybersecurity program powered by Claude Mythos Preview

AI·4 days ago

NSA is running Anthropic's Mythos. The Pentagon says Anthropic is a supply-chain risk.

Axios reports the NSA is using Anthropic's unreleased Mythos model even though the Defense Department has blacklisted Anthropic. One government, two positions.

Security·4 days ago

Vercel got breached through a third-party AI tool's OAuth app. Here's what leaked.

A Context.ai compromise let attackers take over a Vercel employee's Google Workspace. Non-sensitive env vars were exposed, and a ShinyHunters persona is asking $2M.

Security·6 days ago

Trivy got hijacked: 75 of 76 version tags rewrote to drop a CI secret-stealer

Attackers force-pushed 75 of 76 trivy-action tags to a malicious commit. Pinning by tag turned a trusted scanner into an infostealer for CI pipelines.

Abstract visualization of cybersecurity and AI defense systems

AI·last week

OpenAI launches GPT-5.4-Cyber for defensive security, opens access to thousands

OpenAI's new cybersecurity-tuned model can reverse-engineer binaries and analyze malware. It's restricted to verified defenders through the Trusted Access program.

Google's social card for the post-quantum cryptography migration blog post

Web·last week

Google just moved 'Q-Day' to 2029. Here's what that changes for your crypto stack

Google's security team says cryptographically-relevant quantum computers could arrive by 2029, six years before the NSA's 2031 deadline. What to migrate, and in what order.