supply chain risk

Microsoft’s AI Red Team updated its agentic AI failure-mode taxonomy on June 4, 2026, adding seven categories after a year of red-team engagements against deployed agent systems, with new emphasis on supply-chain compromise, tool abuse, visual attacks, session contamination, and human-approval...

Microsoft has listed CVE-2026-41140 as a Poetry path-traversal flaw affecting source-distribution tar extraction when Poetry versions before 2.3.4 run on Python 3.10.0 through 3.10.12 or Python 3.11.0 through 3.11.4, exposing development and CI environments to crafted archives that escape their...

Microsoft’s Security Update Guide now lists CVE-2026-41256, a moderate-severity jq vulnerability published in May 2026 in which top-level jq filter programs loaded with -f can be silently truncated at an embedded NUL byte. The bug is not a Windows kernel emergency or a remote wormable flaw, but...

GitProtect.io said on June 1, 2026, that major DevOps platforms patched 236 vulnerabilities during 2025 across GitHub, GitLab, Azure DevOps, Jira, and Bitbucket, with 140 of those flaws rated high or critical and activity accelerating sharply in the second half. That is not just another annual...

CVE-2026-33672 is a medium-severity vulnerability in the JavaScript glob-matching library Picomatch, disclosed in late March 2026 and tracked by Microsoft’s Security Update Guide, that can let crafted POSIX character-class patterns produce incorrect filename matches in affected application...

CVE-2026-45232 is a low-severity rsync vulnerability disclosed in May 2026 and fixed in rsync 3.4.3, affecting clients that use the RSYNC_PROXY environment variable and receive a deliberately malformed HTTP proxy response from a hostile proxy or network-positioned attacker. That is a narrow lane...

Microsoft has listed CVE-2026-44673, a high-severity libyang flaw disclosed in 2026, in its Security Update Guide after researchers identified an integer overflow in lyb_read_string() that can become a heap buffer overflow when malicious LYB data is parsed. The bug is not a Windows kernel flaw...

Microsoft’s and Google’s reassurances that Anthropic’s Claude will remain broadly available to commercial and civilian customers — even after the Department of Defense formally called the company a “supply‑chain risk” — mark the latest turning point in a rare, high‑stakes clash between the U.S...

Microsoft’s decision to keep Anthropic’s Claude and related products available to customers outside of the Department of War has thrust the company — and corporate IT teams everywhere — into the middle of a rare convergence of national security policy, enterprise vendor strategy, and operational...

The Pentagon’s confrontation with Anthropic over the use of the Claude family of AI models has escalated from a tense negotiation into a high-stakes policy and procurement crisis — one that could end with the Defense Department formally labeling Anthropic a “supply chain risk,” invoking the...

Microsoft Defender Experts have uncovered a coordinated developer‑targeting campaign that uses malicious Next.js repositories and recruiting‑style technical assessments as the initial lure, turning routine developer actions—opening a project in Visual Studio Code, starting a dev server, or...

Microsoft’s flagship productivity assistant briefly read and summarized emails organizations had explicitly marked “Confidential,” a notorious ransomware‑era data thief claimed 1.7 million CarGurus records, and the state of Texas has filed suit against TP‑Link — three discrete stories that...

A pervasive TLS certificate‑verification lapse in Perl’s CPAN.pm (tracked as CVE‑2023‑31484) left versions earlier than 2.35 trusting HTTPS downloads without validating server certificates — a simple oversight with serious supply‑chain consequences that was fixed by enabling explicit SSL...

Microsoft’s short answer — that “Azure Linux includes this open‑source library and is therefore potentially affected” — is accurate as a product-level attestation, but it is not a technical guarantee that only Azure Linux can include the vulnerable drm/i915/gem code; any Microsoft artifact that...

A subtle parsing bug in Go’s build tooling quietly opened a door for attackers to run code during compilation — and the fallout is wider than you might expect if your environment uses gccgo or builds untrusted modules. CVE-2023-29405 exposes an improper sanitization of LDFLAGS with embedded...

A parser bug in the Go standard library — tracked as CVE‑2024‑34158 — lets a specially crafted build-tag line trigger stack exhaustion inside go/build/constraint’s Parse routine and crash processes that parse untrusted source files; the bug was fixed in the emergency releases that shipped in...

SQLite’s parser tripped over an incomplete fix and, in late 2019, a seemingly small logic omission in select.c produced a NULL‑pointer / parsing error that could be triggered by crafted SQL — the vulnerability tracked as CVE‑2019‑19926 exposed how brittle error‑path handling in a widely embedded...

Microsoft’s MSRC entry for CVE‑2024‑29195 identifies a buffer‑length validation flaw in the azure‑c‑shared‑utility (the C “shared utility” used by Azure IoT C SDKs) that can lead to an integer wraparound, under‑allocation and heap buffer overflow — and it explicitly notes that Azure Linux...

A subtle arithmetic bug in a widely used Go PostgreSQL driver—pgx—turned into a critical SQL‑injection risk: if an attacker can force a single query or bind message to exceed 4 GB, a 32‑bit size calculation can wrap and let the attacker fragment and inject protocol messages, enabling arbitrary...

The CloudEvents Go SDK vulnerability tracked as CVE-2024-28110 exposes a subtle but serious supply-chain risk: prior to version v2.15.2, using cloudevents.WithRoundTripper to construct a client with an authenticated http.RoundTripper causes the SDK to inadvertently modify http.DefaultClient...