Tag
#supply-chain
21 posts tagged #supply-chain.
-
Analysis · Jun 3, 2026 · Colten Anderson
Three CVEs keep getting called the Nx attack, and only one of them is this one
An 18-minute window on the VS Code marketplace ended with 3,800 of GitHub's own repositories copied. The interesting part isn't the speed. It's the delivery channel nobody was watching.
-
Analysis · May 28, 2026 · Colten Anderson
GlassWorm's botnet is down, but the technique it proved still works
CrowdStrike, Google, and Shadowserver knocked out all four C2 channels at once. That ends the infrastructure, not the playbook. Three primitives outlive the takedown.
-
Field Note · May 28, 2026 · Colten Anderson
NGINX Rift: four places apt upgrade doesn't reach
The host patch for CVE-2026-42945 shipped on day one. The container images, the App Protect WAF in front of it, the downstream forks, and the config audit it leaves behind are separate jobs.
-
Analysis · May 20, 2026 · Colten Anderson
When the build tool, the GitHub Action, and sudo are the vulnerability
tj-actions, a poisoned GitHub Action; Sudo's chroot bug; 7-Zip's Mark-of-the-Web bypass; Git, FreeType, Erlang/OTP, PHPMailer, Vite, jQuery. The developer-tooling and dependency entries are the supply chain itself getting exploited, the layer beneath the apps you ship.
-
Analysis · May 20, 2026 · Colten Anderson
The dev stack is production: RCEs in CI servers, AI tools, and CMSes you exposed
Jenkins, GitLab, Tomcat, OFBiz, Craft CMS, plus a new wave of AI/dev tools, Langflow, n8n, Marimo, Trivy, Livewire. The DevTools and supply-chain entries share a blind spot: the development and automation stack is internet-facing production infrastructure, and it gets exploited like it.
-
Analysis · May 20, 2026 · Colten Anderson
When a vulnerability is shaped exactly like a backdoor
CVE-2021-44529 triggers when you send Ivanti's appliance a cookie that says 'ab' followed by base64 the server decodes and runs. That's not what an accidental bug looks like. Whether it was planted or just terrible code, the lesson about dependency provenance is the same.
-
Analysis · May 20, 2026 · Colten Anderson
Compromise one MSP's RMM, ransom a thousand businesses: the Kaseya pattern
Kaseya VSA is remote-monitoring software MSPs use to manage thousands of client machines. That reach is why it keeps getting attacked, and why in 2021 REvil used it to push ransomware to roughly 1,500 downstream businesses in a single weekend.
-
Analysis · May 20, 2026 · Colten Anderson
Everyone remembers patching Log4Shell. Few built the thing that would make the next one easy.
CVE-2021-45046 is the bug that proved the first Log4Shell fix was incomplete, kicking off a patch-the-patch cascade in December 2021. The teams that 'patched Log4j' on day one had to do it again, and again. The durable lesson wasn't speed. It was knowing where the dependency lived.
-
Analysis · May 20, 2026 · Colten Anderson
You can be the victim of a vulnerability in software you don't run
Most of the 90-plus million people whose data Cl0p stole through MOVEit had never heard of it, and their data leaked through payroll firms and service bureaus, not their own systems. CVE-2023-34362 is the case study in third-party data risk you can't patch your way out of.
-
Analysis · May 20, 2026 · Colten Anderson
Why ransomware crews love a backup server twice over
CVE-2022-36537 is a ZK Framework bug that handed attackers ConnectWise R1Soft backup servers. A backup server is the perfect ransomware target for two reasons at once: it can push code to everything it protects, and destroying it removes the one thing that lets a victim refuse to pay.
-
Analysis · May 20, 2026 · Colten Anderson
The SolarWinds crew spent late 2023 breaking into build servers. That's not a coincidence.
CVE-2023-42793 is an unauthenticated RCE on JetBrains TeamCity. APT29, the Russian service behind SolarWinds, exploited it at scale, and so did North Korean groups. They weren't after one network. A build server is the supply chain.
-
Analysis · May 18, 2026 · Colten Anderson
A valid signature is not a vouch
For 27 days the official DAEMON Tools installer carried a clean Disc Soft signature and a backdoor. The signature did exactly what it was designed to do. That is the problem.
-
Analysis · May 17, 2026 · Colten Anderson
The malware was signed. The signature was real. The package was poison.
TanStack's npm release pipeline published 84 malicious package versions with valid SLSA provenance. The attestation was correct. It just wasn't the question that mattered.
-
Analysis · May 12, 2026 · Colten Anderson
What 14 days of TeamPCP told us about registry defense in 2026
Five compromises across two ecosystems in six weeks, then a 169-package npm wave on May 11. One threat actor, two very different defensive postures. The pattern is the point.
-
Analysis · May 10, 2026 · Colten Anderson
SimpleHelp CVE-2024-57727: a seven-day patch and a sixteen-month leak
SimpleHelp shipped a fix in seven days from full disclosure. Then they posted it to a forum. Ransomware affiliates have been pulling hashed admin credentials out of unpatched servers ever since.
-
Analysis · May 5, 2026 · Colten Anderson
React2Shell turned every Next.js App Router deployment into a pre-auth RCE target
Lachlan Davidson reported CVE-2025-55182 to Meta on a Friday. By the following Thursday, ransomware groups were deploying payloads within one minute of initial access. A 200-byte POST, CVSS 10, 137,000 exposed instances, and most developers never knew their frontend had server-side attack surface.
-
Analysis · May 4, 2026 · Colten Anderson
Three hours was the good outcome: npm's trust model and the Axios compromise
A DPRK threat actor backdoored two Axios versions on npm. Socket flagged the malicious dependency in six minutes. Nothing stopped the downstream publish fifteen minutes later. The system worked exactly as designed.
-
Analysis · May 3, 2026 · Colten Anderson
50 CVEs in 18 months is not a growing pain. It's a design choice the industry keeps making.
MCP went from unknown to default AI integration in under two years. The vulnerability count, the OWASP Top 10, and the simultaneous client failures tell a story about what happens when adoption is the only metric.
-
Analysis · May 3, 2026 · Colten Anderson
Spirit Airlines is dead. Its attack surface isn't.
The security story isn't that an airline went bankrupt. It's what happens to 132 APIs, years of customer PII, and a cloud footprint when a company dies overnight and nobody is left to decommission it.
-
Analysis · May 1, 2026 · Colten Anderson
The Vercel breach is the Heroku/Travis CI playbook, rerun through an AI tool
A compromised OAuth token at a small AI productivity company gave attackers a path into Vercel's internal systems. The structural pattern is four years old. AI tools are making it worse.
-
Analysis · May 1, 2026 · Colten Anderson
Anthropic's MCP gives every downstream app unauthenticated RCE, and they called it expected behavior
The Model Context Protocol's STDIO transport passes user input directly into subprocess execution with no sanitization. OX Security found 14+ CVEs across the ecosystem. Anthropic declined to patch.