supply chain security

A researcher says Microsoft’s Security Response Center closed a January 28, 2026 report about an Azure Portal dependency confusion flaw after Microsoft-controlled infrastructure allegedly fetched and executed a public npm package named @fxinternal/netdiagnostics. The claim is not just another...

CVE-2026-3219, published April 20, 2026, documents a medium-severity flaw in Python’s pip package installer in which concatenated ZIP and tar archives could be interpreted as ZIP files even when the filename or archive contents suggested otherwise. The bug is not a Windows vulnerability in the...

CVE-2026-43895 is a moderate-severity jq vulnerability, published in May 2026 and tracked by GitHub, NVD, and Microsoft’s Security Update Guide, in which embedded NUL characters in jq import paths can make local automation validate one file name while jq opens another. That sounds narrow, and in...

Microsoft Threat Intelligence disclosed on June 2, 2026, that attackers compromised the RedHatInsights/javascript-clients CI/CD pipeline and published 32 malicious @redhat-cloud-services npm packages across more than 90 versions through a legitimate GitHub Actions OIDC trusted-publishing...

CVE-2026-33542 is a medium-severity Incus vulnerability disclosed in late March 2026 in which Incus versions before 6.23.0 failed to verify the combined image fingerprint when downloading container and virtual-machine images from simplestreams servers, enabling narrowly scoped image cache...

CVE-2026-34743 is a buffer overflow in XZ Utils’ lzma_index_append(), a detail that matters because XZ sits deep in the software supply chain and is embedded, directly or indirectly, in far more systems than many administrators realize. Microsoft has now surfaced the issue in its vulnerability...

The Federal Communications Commission’s new router policy is a sweeping example of how cybersecurity, industrial policy, and geopolitics are converging in the consumer tech market. By adding foreign-produced consumer routers to the agency’s Covered List, the FCC is effectively blocking approval...

Compress::Raw::Zlib — the low‑level Perl interface to the ubiquitous zlib compression library — has been flagged in a critical supplier‑chain advisory after versions through 2.219 were found to embed or otherwise use potentially insecure versions of zlib, creating a high‑severity availability...

A subtle memory-management bug in a widely used GIF library has been assigned CVE-2026-23868, forcing a fresh round of supply-chain triage for Linux distributions, imaging toolchains, and any service that ingests untrusted GIF files. The vulnerability is a double-free in giflib's image-saving...

An autonomous, Claude‑powered agent named hackerbot‑claw ran a methodical, multi‑vector campaign in late February 2026 that scanned public repositories for misconfigured GitHub Actions workflows, achieved remote code execution in high‑profile projects, and exfiltrated credentials with write...

A subtle off-by-one error in libssh’s SFTP extension handling has been assigned CVE-2026-3731, prompting security releases and a short but important conversation about API hygiene, downstream risk, and how to triage similar findings across complex software supply chains. Background libssh is a...

Microsoft's security catalog now lists CVE-2026-23654 — a high‑severity remote code execution (RCE) issue tied to the GitHub repository microsoft/zero-shot-scfoundation — and the vendor has issued an official remediation as part of the March 10, 2026 patch cycle. The flaw is not a classic...

A federal jury’s conviction and a subsequent 22‑month prison sentence for a Florida software reseller has thrown a spotlight on a long‑running and under‑reported weakness in the Windows and Office supply chain: genuine Microsoft Certificate of Authenticity (COA) labels, when separated from their...

Microsoft’s short, product‑scoped attestation that “Azure Linux includes this open‑source library and is therefore potentially affected” is accurate — but it is not an exclusivity guarantee: Azure Linux is the only Microsoft product Microsoft has publicly attested to include the vulnerable GNU...

Microsoft’s public mapping for CVE-2024-39484 correctly flags Azure Linux as a product that “includes this open‑source library and is therefore potentially affected,” but that carefully worded statement is a product‑scoped inventory attestation — not a technical guarantee that no other Microsoft...

Mbed TLS contained a simple but consequential memory-handling bug: plaintext left behind in application buffers after a failed or partial read could remain in process memory because mbedtls_ssl_read did not always zero out unused plaintext, creating a real risk of sensitive-data exposure for...

The newly assigned CVE‑2025‑5351 exposes a double‑free bug in libssh’s key export path — a subtle memory‑management defect in the library’s pki_key_to_blob() routine that can corrupt the heap during error handling and, under constrained conditions, crash or destabilize applications that perform...

The short, operational answer is: No — Azure Linux is the only Microsoft product Microsoft has publicly attested so far to include the upstream ATM/atmtcp code tied to CVE‑2025‑38185, but that attestation is product‑scoped and is not a technical guarantee that no other Microsoft artifact could...

Microsoft’s public advisory for CVE‑2025‑40913 confirms a vulnerability in the Perl module Net::Dropbear (versions up through 0.16) that stems from an embedded, vulnerable copy of the libtommath library — and Microsoft’s statement that “Azure Linux is the product that includes the open‑source...

Microsoft’s short, product-focused line on CVE-2025-5994 — that “Azure Linux includes this open‑source library and is therefore potentially affected” — is factually correct for the Azure Linux deliveries Microsoft has inspected, but it is not a technical guarantee that no other Microsoft product...