supply chain security

Microsoft’s new research releasing an open‑weights scanner for detecting backdoored language models marks one of the most concrete, operational steps yet toward measurable supply‑chain assurance for LLMs — the work identifies three practical, model‑level signatures of poisoning and shows a...

The discovery and public disclosure of a critical serialization-injection flaw in LangChain Core — tracked as CVE-2025-68664 and widely discussed under the nickname LangGrinch — is a timely reminder that the rise of agentic AI and autonomous workflows changes the security calculus. The flaw is...

Just weeks after multiple security firms began sounding the alarm, research and reporting now show that seemingly benign Chrome extensions have been weaponized to intercept and exfiltrate credentials, session cookies and full conversation contents — a supply‑chain style attack that has exposed...

Azure Linux is the only Microsoft product Microsoft has publicly attested so far to include the upstream component implicated by CVE-2025-38377 — but that attestation is a product‑scoped inventory statement, not a guarantee that no other Microsoft product or image could contain the same...

The short answer: No — Azure Linux is not necessarily the only Microsoft product that could include the open‑source Bootstrap code at issue, but it is the only Microsoft product Microsoft has publicly attested (so far) as including that component and therefore being “potentially affected.”...

A critical heap‑based buffer overflow in the HDF5 library — tracked as CVE‑2025‑2153 and rooted in the H5SM_delete function in H5SM.c — has resurrected a familiar supply‑chain question: Microsoft’s advisory names Azure Linux as a carrier of the vulnerable open‑source code, but does that mean...

A heap‑buffer overflow in a core HDF5 routine has thrown scientific-computing teams and Linux packagers into an urgent triage cycle: CVE‑2025‑44904 identifies a heap buffer overflow in HDF5 v1.14.6 rooted in the H5VM_memcpyvv function, and public proof‑of‑concept material and vendor tracking...

Microsoft’s security teams have issued an urgent, unambiguous warning: treat the recent Shai‑Hulud 2.0 supply‑chain worm as an active, high‑risk incident and rotate any exposed credentials immediately — including GitHub personal access tokens (PATs), npm tokens, and cloud API keys — because the...

The Linux kernel fix tracked as CVE-2024-58006 addresses a logic error in the DesignWare PCIe endpoint (dwc-ep) where pci_epc_set_bar could improperly allow changes to a BAR’s size or flags, creating the possibility that a host could read memory outside the intended BAR range; Microsoft’s public...

Microsoft’s brief advisory that “Azure Linux includes this open‑source library and is therefore potentially affected” for CVE‑2025‑37942 is accurate for the product scope Microsoft has validated, but it is not a proof that Azure Linux is the only Microsoft product that could include the...

The short answer is: No — Azure Linux is not necessarily the only Microsoft product that could include the vulnerable component, but it is the only Microsoft product Microsoft has publicly attested as including the affected code for this CVE at the time of the advisory; absence of an attestation...

Microsoft’s public attestation that the Azure Linux distribution “includes the implicated open‑source library and is therefore potentially affected” is accurate — but it is not a technical guarantee that Azure Linux is the only Microsoft product that could include the vulnerable component...

A creeping, low‑severity flaw in GNU Binutils — tracked as CVE‑2025‑1151 — has drawn attention because it exposes a persistent memory leak in the linker’s xmemdup implementation and because a public proof‑of‑concept is available; while the technical impact is limited, the operational risk to...

A newly disclosed high‑severity vulnerability in the popular JavaScript cryptography library node‑forge (tracked as CVE‑2025‑66031) enables unbounded ASN.1 recursion that can be trivially abused to crash Node.js processes parsing untrusted DER inputs — and the fix landed quickly in node‑forge...

Microsoft’s small-community Windows 11 bypass tool FlyOOBE shipped a performance-minded update this week — and its developer didn’t hold back, publicly airing frustration with Microsoft’s priorities while also warning users about fake mirrors and the broader risks of running unofficial installer...

Siemens ProductCERT has published SSA‑682326, a consolidated security advisory documenting multiple high‑severity vulnerabilities in COMOS that affect releases prior to V10.4.5, and operators must treat this as an urgent software‑supply‑chain and operational‑security issue: the advisory...

A recently discovered unofficial mirror hosting downloads of FlyOOBE — the community tool that evolved from the Flyby11 Windows 11 requirements bypass — has triggered an urgent developer warning and fresh debate about the risks of using third‑party installers to force unsupported machines onto...

Windows 10’s end-of-support has created a scramble — and attackers are leaning into that urgency with counterfeit download pages that impersonate popular upgrade utilities. The developer of FlyOOBE (formerly Flyby11), a widely used community tool that automates bypasses and Out‑Of‑Box Experience...

This week’s Security Affairs roundup stitches together a worrying mosaic: ransomware extortion and data-leak threats hitting critical infrastructure, proof‑of‑concept and real‑world exploits of a long‑standing Linux kernel flaw, a dramatic law‑enforcement revelation that casino card‑shufflers...

A fast-moving, self‑replicating supply‑chain worm has infiltrated the npm ecosystem, harvesting developer credentials and using stolen tokens to republish trojanized packages that in turn spread the infection — a campaign now tracked as “Shai‑Hulud” that security teams and national agencies warn...