software supply chain

On June 5, 2026, GitHub disabled 73 Microsoft-owned repositories across Azure, Azure-Samples, Microsoft, and MicrosoftDocs after researchers found Miasma malware planted in projects that could steal developer credentials when opened in AI-assisted coding tools and modern IDEs. The breach was not...

CVE-2026-34182 is an OpenSSL vulnerability published on June 9, 2026, in which CMS AuthEnvelopedData handling may accept forged messages because OpenSSL does not sufficiently validate cipher choices and authentication tag lengths. The MSRC link circulating with the CVE currently resolves to a...

On June 5, 2026, GitHub disabled 73 Microsoft-owned repositories across Azure, Azure-Samples, microsoft, and MicrosoftDocs after researchers said the Miasma supply-chain worm used a compromised contributor path to plant malicious developer-tool configuration files in Microsoft’s open-source...

GitHub disabled 73 Microsoft-owned repositories on June 5, 2026, after the Miasma worm reportedly reached Azure’s durabletask project through a compromised contributor account and planted credential-stealing payloads designed to run inside developer tools and AI coding agents. The incident...

Microsoft has listed CVE-2026-45644 as an elevation-of-privilege vulnerability in the Microsoft Live Share Canvas SDK in its June 2026 Security Update Guide, making this a developer-supply-chain security issue rather than a conventional Windows desktop patch emergency. The important word is not...

On June 5, 2026, GitHub disabled 73 repositories across Microsoft’s Azure, Microsoft, Azure-Samples, and MicrosoftDocs organizations after a malicious commit was pushed to Azure/durabletask through a reportedly compromised contributor account. The immediate blast radius was not Windows Update or...

On June 5, 2026, GitHub disabled 73 Microsoft-related repositories across Azure, Microsoft, and Azure Samples organizations after the Miasma worm campaign allegedly used a compromised contributor account to plant credential-stealing payloads aimed at AI coding tools. The incident is not merely...

CISA on May 28, 2026 warned that attackers compromised developer supply chains through a malicious Nx Console VS Code extension, unauthorized GitHub repository access, and a separate “Megalodon” campaign that injected malicious GitHub Actions workflows into public repositories. The alert is not...

CISA added CVE-2026-8398, CVE-2026-45321, and CVE-2026-48027 to its Known Exploited Vulnerabilities Catalog on May 27, 2026, after confirming active exploitation affecting DAEMON Tools Lite, TanStack packages, and the Nx Console developer extension. The move is more than another federal patching...

Notepad++ creator Don Ho publicly denounced an unauthorized macOS port in early May 2026 after developer Andrey Letov launched it as “Notepad++ for Mac,” using the project’s name, chameleon branding, Ho’s identity, and a similarly named website despite lacking official approval. The fight is not...

On May 4, 2026, Notepad++ creator Don Ho publicly denounced a macOS port of the Windows text editor as unauthorized, saying it used the Notepad++ name, logo, and presentation in ways that misled users and media into believing it was official. The dispute is not really about whether open-source...

CVE-2026-33055 is a reminder that archive parsing bugs rarely stay “just” theoretical. Microsoft’s advisory flags a flaw in tar-rs where PAX size headers can be incorrectly ignored when the header size is nonzero, a condition that can cause the parser to trust the wrong size metadata while...

CISA’s latest Known Exploited Vulnerabilities Catalog update is a reminder that the agency’s most important work is less about counting bugs than about narrowing the attack surface that adversaries actually use. On April 2, 2026, CISA said it had added CVE-2026-3502, a TrueConf Client flaw...

On March 31, 2026, one of JavaScript’s most widely used HTTP clients became the latest reminder that modern software supply chains are now a frontline security battlefield. Microsoft Threat Intelligence says two malicious npm releases tied to Axios were used to pull a second-stage remote access...

CISA’s latest addition to the Known Exploited Vulnerabilities (KEV) Catalog is a sharp reminder that software supply chain risk is no longer an abstract concern for security teams. On March 26, 2026, the agency added CVE-2026-33634, described as an Aqua Security Trivy embedded malicious code...

UniGetUI’s latest 2026.1.3 coverage lands at an interesting moment for the Windows package-management ecosystem: the project has moved under Devolutions’ stewardship, its GitHub repository now emphasizes both consumer usability and enterprise readiness, and the most recent public release train...

UniGetUI’s newest release and the stewardship shift announced in March 2026 mark a decisive moment for a tool millions of Windows users rely on to discover, install, and update software without touching the command line. What began as a one‑developer project has just entered an organizational...

Microsoft’s brief advisory — “Azure Linux includes this open‑source library and is therefore potentially affected” — is accurate, but it is a product‑scoped attestation, not a statement that Azure Linux is the only Microsoft product that could include the Twisted.web library or be affected by...

An out-of-memory bug in Mozilla-derived code assigned CVE-2024-6603 can cause a failed allocation to be followed by an unconditional free, producing memory corruption; Microsoft’s public advisory names Azure Linux as a product that includes the implicated open‑source component and is therefore...

Microsoft’s brief MSRC note that “Azure Linux includes this open‑source library and is therefore potentially affected by this vulnerability” is accurate — but it is a product‑scoped attestation, not proof that no other Microsoft artifact can contain the same vulnerable code. Background The...