supply chain risks

A subtle arithmetic bug in a widely used Go PostgreSQL driver—pgx—turned into a critical SQL‑injection risk: if an attacker can force a single query or bind message to exceed 4 GB, a 32‑bit size calculation can wrap and let the attacker fragment and inject protocol messages, enabling arbitrary...

The CloudEvents Go SDK vulnerability tracked as CVE-2024-28110 exposes a subtle but serious supply-chain risk: prior to version v2.15.2, using cloudevents.WithRoundTripper to construct a client with an authenticated http.RoundTripper causes the SDK to inadvertently modify http.DefaultClient...

Microsoft’s short advisory that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate — but it is a product‑scoped attestation, not a categorical guarantee that no other Microsoft product or service ships the same vulnerable code. erview CVE‑2023‑35945...

EcoVadis’ latest recognition by Microsoft — winning the Local Partner Award FY25 in the AI Transformation — Scale category — marks a notable milestone for sustainability software vendors deploying generative AI at enterprise scale and brings renewed attention to how procurement teams will use AI...

A critical vulnerability in the widely used npm package sha.js lets attackers supply unexpected input types that rewind or corrupt the internal hash state, produce identical digests for distinct inputs, and trigger denial-of-service conditions — a flaw tracked as CVE‑2025‑9288 and patched in...

A critical interpretation‑conflict flaw in the widely used JavaScript cryptography library node‑forge lets attackers craft malicious ASN.1 objects that desynchronize the library’s ASN.1 validator and bypass downstream cryptographic checks — a vulnerability tracked as CVE‑2025‑12816 that has been...

A high‑risk impersonation of a popular Windows 11 upgrade-and‑debloat tool has surfaced on an official‑looking domain, and the project maintainer has issued a blunt SECURITY ALERT telling users to stop using the mirror and download only from the official GitHub Releases page. Background /...

Microsoft’s Security Update Guide records CVE-2025-59288 as a real, vendor-acknowledged vulnerability in the Playwright toolchain that stems from improper verification of cryptographic signatures, and the advisory assigns a Medium severity rating (CVSS 3.1 base score 5.3). Background / Overview...

Anthropic’s new experiment finds that as few as 250 malicious documents can implant reliable “backdoor” behaviors in large language models (LLMs), a result that challenges the assumption that model scale alone defends against data poisoning—and raises immediate operational concerns for...

The race to build the world’s most powerful AI infrastructure has moved out of labs and into entire campuses, and Microsoft’s new Fairwater facility in Wisconsin is the clearest expression yet of that shift — a purpose-built AI factory that stitches together hundreds of thousands of...

PC “optimizer” apps promise a magic fix: one click to clean junk files, repair the registry, free RAM and make Windows run like new — but in practice some of the most popular tools have done the opposite, introducing privacy risks, background bloat, and even security incidents that worsened the...

ENGIE Impact’s leap into cloud-native AI shows how a specialist sustainability consultancy can turn mass invoice and supplier data into sharper risk signals and faster client value by running Azure AI Foundry, Azure Databricks, and Microsoft 365 Copilot together in a governed Azure estate. The...

As organizations race to exploit generative AI and broaden their third‑party ecosystems, a startling pattern is emerging: mass adoption without adequate visibility is creating a cascade of security, compliance, and financial risks that many firms are poorly equipped to handle. New survey data...

Microsoft and Phison have now all but closed the book on the late‑August panic: after weeks of community reports, lab reproductions and headlines warning that Windows 11 24H2’s August cumulative (KB5063878) was “bricking” SSDs, thorough vendor and Microsoft testing found no reproducible link...

Windows 11’s inbox app pile just got a new nemesis: Tiny11’s updated builder can now strip Copilot, the new Outlook client, Teams, and a long roster of built‑ins from a Windows 11 image — and the change is explicitly framed as a “25H2‑ready” rebuild that shrinks install size and prevents much of...

In January, security researchers at Aim Labs disclosed a zero-click prompt‑injection flaw in Microsoft 365 Copilot that demonstrated how a GenAI assistant with broad document access could be tricked into exfiltrating sensitive corporate data without any user interaction—an attack class that...

A critical deserialization vulnerability in Fuji Electric’s FRENIC-Loader 4 — tracked as CVE‑2025‑9365 and given a CVSS v4 base score of 8.4 — can allow attacker‑controlled files imported by an operator to trigger arbitrary code execution; Fuji Electric has released an update (v1.4.0.1 or later)...

Microsoft’s formal end-of-support date for Windows 10—October 14, 2025—has pushed local managed‑IT providers into high gear, warning businesses that failure to prepare will increase security exposure, complicate compliance, and make future hardware purchases more expensive and time consuming...

Microsoft has selected Marvell’s LiquidSecurity family of hardware security modules (HSMs) to power its Azure Cloud HSM offering — a move that consolidates Marvell’s role across Azure’s key management portfolio and brings FIPS 140‑3 Level 3‑certified, high‑density PCIe HSMs into Microsoft’s...

Microsoft has selected Marvell’s LiquidSecurity family of hardware security modules (HSMs to underpin its Azure Cloud HSM offering, a step that expands an existing Marvell–Azure relationship and brings FIPS 140‑3 Level 3‑certified, high‑density PCIe HSMs into Microsoft’s single‑tenant cloud HSM...