supply chain

A subtle bug in pip’s wheel extraction logic has produced CVE‑2026‑1703 — a limited path‑traversal flaw that can allow specially crafted wheel (zip) archives to place files outside the intended installation directory during a normal pip install. The defect is narrowly scoped — the traversal is...

Microsoft’s decision to file in court on behalf of Anthropic — asking a judge to pause the Pentagon’s supply‑chain risk designation — marks a rare and consequential collision between corporate cloud strategy, AI safety policy, and national security law that will reshape how Washington and...

Microsoft’s decision to keep Anthropic’s Claude and related products available to customers outside of the Department of War has thrust the company — and corporate IT teams everywhere — into the middle of a rare convergence of national security policy, enterprise vendor strategy, and operational...

AWS’ open-source cryptographic library AWS‑LC received a pair of serious PKCS#7 validation fixes in early March 2026 after researchers reported that the library’s PKCS7_verify() routine could incorrectly bypass certificate chain validation for certain multi‑signer PKCS#7 objects, allowing...

When a tiny, widely used HTTP client slips into an insecure default mode, the consequences ripple far beyond a single library — they reach package managers, CI pipelines, internal tooling, and any application that quietly trusts “https://” without actually verifying who’s on the other end...

Webpack’s magic comments are small developer conveniences that quietly changed how bundles are named and fetched — but a subtle parsing bug in Webpack 5’s ImportParserPlugin turned those conveniences into a serious attack surface, allowing a crafted untrusted object to reach across JavaScript...

The Go toolchain disclosure CVE-2023-24531 reveals a deceptively simple but important weakness: the go env command prints a shell-script-style representation of environment variables without adequately sanitizing their values. If that output is executed as shell code, specially crafted...

A high-severity remote-code-execution flaw in the widely used Python packaging library pypa/setuptools — tracked as CVE-2024-6345 — lets attackers turn crafted package URLs into arbitrary command execution on affected systems; the bug affects setuptools versions up to 69.1.1 and was corrected in...

A double‑free in GnuTLS’s Subject Alternative Name export logic — tracked as CVE‑2025‑32988 — can be triggered by a crafted certificate containing an otherName SAN with a malformed type‑id OID, allowing the library to free the same ASN.1 node twice (via asn1_delete_structure()), which in real...

Microsoft’s short answer — that “Azure Linux includes this open‑source library and is therefore potentially affected” — is correct as a product‑level attestation, but it is not a technical guarantee that Azure Linux is the only Microsoft product that could contain the vulnerable mt76/mt7915...

A subtle but dangerous bypass in the Go toolchain’s build logic lets attacker-controlled line directives slip unsafe compiler and linker flags into go builds — a flaw tracked as CVE-2023-39323 that can lead to arbitrary code execution during compilation and presents a material supply‑chain/CI...

The Go toolchain’s cgo LDFLAGS bug — tracked as CVE‑2023‑29404 — is a high‑severity build‑time weakness that lets a malicious module smuggle unsafe linker directives into the go command’s invocation, creating a practical path to arbitrary code execution during compilation and packaging. This is...

A subtle bug in a popular Go markdown library quietly turned into a disruptive denial-of-service vector: a malformed citation in certain parser modes can trigger an out‑of‑bounds read and crash any application that renders untrusted input with the affected code path. This vulnerability, tracked...

Microsoft’s public mapping for CVE-2024-30204 correctly calls out that Azure Linux includes the affected Emacs component and is therefore potentially affected, but that statement answers only which Microsoft product Microsoft has inventory-checked and declared as a carrier so far — it is not a...

A subtle overflow in a widely used UEFI helper — the shim bootloader’s handle_image() routine — reappeared in headlines after CVE-2022-28737 was published, and Microsoft’s short advisory that “Azure Linux includes this open‑source library and is therefore potentially affected” has prompted a...

The discovery that LLVM’s ARM backend could generate code that overwrites the Link Register (LR) without saving it to the stack — tracked as CVE‑2024‑31852 — is a sober reminder that compiler toolchains can introduce subtle, hard‑to‑detect integrity failures into otherwise secure software, and...

Big Tech’s 2026 AI spending plans are not a gentle ramp — they are a once‑in‑corporate‑history infrastructure buildout that, by most estimates, pushes annual hyperscaler capital expenditure into the low‑hundreds of billions and creates a concentrated, high‑stakes market for chips, data centers...

C.H. Robinson’s decision to fold its Navisphere platform deeper into Microsoft’s Azure stack marks a deliberate push to turn episodic shipment tracking into continuous, sensor-driven intelligence — a move that could accelerate digitization across freight, cold chain and multimodal logistics...

CISA’s latest update to the Known Exploited Vulnerabilities (KEV) Catalog adds four actively exploited CVEs — a mix of application logic flaws, an insecure development-tooling exposure, a supply‑chain compromise, and a PHP file‑inclusion bug — underscoring the breadth of attack surfaces...

When a sector’s wiring runs across continents and under oceans, a single act of geopolitics can ripple from the diplomatic backrooms to the redundant power feeds under your office floor — and the data center industry is precisely that kind of transcontinental project, fragile at the seams and...