supply chain risk

Microsoft Defender Experts have uncovered a coordinated developer‑targeting campaign that uses malicious Next.js repositories and recruiting‑style technical assessments as the initial lure, turning routine developer actions—opening a project in Visual Studio Code, starting a dev server, or...

Microsoft’s flagship productivity assistant briefly read and summarized emails organizations had explicitly marked “Confidential,” a notorious ransomware‑era data thief claimed 1.7 million CarGurus records, and the state of Texas has filed suit against TP‑Link — three discrete stories that...

A pervasive TLS certificate‑verification lapse in Perl’s CPAN.pm (tracked as CVE‑2023‑31484) left versions earlier than 2.35 trusting HTTPS downloads without validating server certificates — a simple oversight with serious supply‑chain consequences that was fixed by enabling explicit SSL...

Microsoft’s short answer — that “Azure Linux includes this open‑source library and is therefore potentially affected” — is accurate as a product-level attestation, but it is not a technical guarantee that only Azure Linux can include the vulnerable drm/i915/gem code; any Microsoft artifact that...

A subtle parsing bug in Go’s build tooling quietly opened a door for attackers to run code during compilation — and the fallout is wider than you might expect if your environment uses gccgo or builds untrusted modules. CVE-2023-29405 exposes an improper sanitization of LDFLAGS with embedded...

A parser bug in the Go standard library — tracked as CVE‑2024‑34158 — lets a specially crafted build-tag line trigger stack exhaustion inside go/build/constraint’s Parse routine and crash processes that parse untrusted source files; the bug was fixed in the emergency releases that shipped in...

SQLite’s parser tripped over an incomplete fix and, in late 2019, a seemingly small logic omission in select.c produced a NULL‑pointer / parsing error that could be triggered by crafted SQL — the vulnerability tracked as CVE‑2019‑19926 exposed how brittle error‑path handling in a widely embedded...

Microsoft’s MSRC entry for CVE‑2024‑29195 identifies a buffer‑length validation flaw in the azure‑c‑shared‑utility (the C “shared utility” used by Azure IoT C SDKs) that can lead to an integer wraparound, under‑allocation and heap buffer overflow — and it explicitly notes that Azure Linux...

A subtle arithmetic bug in a widely used Go PostgreSQL driver—pgx—turned into a critical SQL‑injection risk: if an attacker can force a single query or bind message to exceed 4 GB, a 32‑bit size calculation can wrap and let the attacker fragment and inject protocol messages, enabling arbitrary...

The CloudEvents Go SDK vulnerability tracked as CVE-2024-28110 exposes a subtle but serious supply-chain risk: prior to version v2.15.2, using cloudevents.WithRoundTripper to construct a client with an authenticated http.RoundTripper causes the SDK to inadvertently modify http.DefaultClient...

Microsoft’s short advisory that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate — but it is a product‑scoped attestation, not a categorical guarantee that no other Microsoft product or service ships the same vulnerable code. erview CVE‑2023‑35945...