supply chain risks

EcoVadis’ latest recognition by Microsoft — winning the Local Partner Award FY25 in the AI Transformation — Scale category — marks a notable milestone for sustainability software vendors deploying generative AI at enterprise scale and brings renewed attention to how procurement teams will use AI...

A critical vulnerability in the widely used npm package sha.js lets attackers supply unexpected input types that rewind or corrupt the internal hash state, produce identical digests for distinct inputs, and trigger denial-of-service conditions — a flaw tracked as CVE‑2025‑9288 and patched in...

A critical interpretation‑conflict flaw in the widely used JavaScript cryptography library node‑forge lets attackers craft malicious ASN.1 objects that desynchronize the library’s ASN.1 validator and bypass downstream cryptographic checks — a vulnerability tracked as CVE‑2025‑12816 that has been...

A high‑risk impersonation of a popular Windows 11 upgrade-and‑debloat tool has surfaced on an official‑looking domain, and the project maintainer has issued a blunt SECURITY ALERT telling users to stop using the mirror and download only from the official GitHub Releases page. Background /...

Microsoft’s Security Update Guide records CVE-2025-59288 as a real, vendor-acknowledged vulnerability in the Playwright toolchain that stems from improper verification of cryptographic signatures, and the advisory assigns a Medium severity rating (CVSS 3.1 base score 5.3). Background / Overview...

Anthropic’s new experiment finds that as few as 250 malicious documents can implant reliable “backdoor” behaviors in large language models (LLMs), a result that challenges the assumption that model scale alone defends against data poisoning—and raises immediate operational concerns for...

The race to build the world’s most powerful AI infrastructure has moved out of labs and into entire campuses, and Microsoft’s new Fairwater facility in Wisconsin is the clearest expression yet of that shift — a purpose-built AI factory that stitches together hundreds of thousands of...

PC “optimizer” apps promise a magic fix: one click to clean junk files, repair the registry, free RAM and make Windows run like new — but in practice some of the most popular tools have done the opposite, introducing privacy risks, background bloat, and even security incidents that worsened the...

ENGIE Impact’s leap into cloud-native AI shows how a specialist sustainability consultancy can turn mass invoice and supplier data into sharper risk signals and faster client value by running Azure AI Foundry, Azure Databricks, and Microsoft 365 Copilot together in a governed Azure estate. The...

As organizations race to exploit generative AI and broaden their third‑party ecosystems, a startling pattern is emerging: mass adoption without adequate visibility is creating a cascade of security, compliance, and financial risks that many firms are poorly equipped to handle. New survey data...

Microsoft and Phison have now all but closed the book on the late‑August panic: after weeks of community reports, lab reproductions and headlines warning that Windows 11 24H2’s August cumulative (KB5063878) was “bricking” SSDs, thorough vendor and Microsoft testing found no reproducible link...

Windows 11’s inbox app pile just got a new nemesis: Tiny11’s updated builder can now strip Copilot, the new Outlook client, Teams, and a long roster of built‑ins from a Windows 11 image — and the change is explicitly framed as a “25H2‑ready” rebuild that shrinks install size and prevents much of...

In January, security researchers at Aim Labs disclosed a zero-click prompt‑injection flaw in Microsoft 365 Copilot that demonstrated how a GenAI assistant with broad document access could be tricked into exfiltrating sensitive corporate data without any user interaction—an attack class that...

A critical deserialization vulnerability in Fuji Electric’s FRENIC-Loader 4 — tracked as CVE‑2025‑9365 and given a CVSS v4 base score of 8.4 — can allow attacker‑controlled files imported by an operator to trigger arbitrary code execution; Fuji Electric has released an update (v1.4.0.1 or later)...

Microsoft’s formal end-of-support date for Windows 10—October 14, 2025—has pushed local managed‑IT providers into high gear, warning businesses that failure to prepare will increase security exposure, complicate compliance, and make future hardware purchases more expensive and time consuming...

Microsoft has selected Marvell’s LiquidSecurity family of hardware security modules (HSMs) to power its Azure Cloud HSM offering — a move that consolidates Marvell’s role across Azure’s key management portfolio and brings FIPS 140‑3 Level 3‑certified, high‑density PCIe HSMs into Microsoft’s...

Microsoft has selected Marvell’s LiquidSecurity family of hardware security modules (HSMs to underpin its Azure Cloud HSM offering, a step that expands an existing Marvell–Azure relationship and brings FIPS 140‑3 Level 3‑certified, high‑density PCIe HSMs into Microsoft’s single‑tenant cloud HSM...

CISA’s August 14 advisory bundle is a wake-up call for every industrial operator: thirty-two separate Industrial Control Systems (ICS) advisories were published, covering a sweeping range of Siemens and Rockwell products — from PLC simulators and engineering platforms to rugged network gear and...

Siemens' COMOS engineering platform is again at the center of vendor and national cybersecurity advisories after an out‑of‑bounds write in a third‑party graphics library — tracked as CVE‑2024‑8894 — was linked to COMOS deployments and republished by authorities, raising fresh questions about...

Johnson Controls’ iSTAR Ultra family of door controllers contains a cluster of high‑impact vulnerabilities that — if left unpatched — can give remote attackers a path to root access, firmware modification, and local console takeover, creating a direct route from network compromise to physical...