supply chain

When a tiny, widely used HTTP client slips into an insecure default mode, the consequences ripple far beyond a single library — they reach package managers, CI pipelines, internal tooling, and any application that quietly trusts “https://” without actually verifying who’s on the other end...

Webpack’s magic comments are small developer conveniences that quietly changed how bundles are named and fetched — but a subtle parsing bug in Webpack 5’s ImportParserPlugin turned those conveniences into a serious attack surface, allowing a crafted untrusted object to reach across JavaScript...

The Go toolchain disclosure CVE-2023-24531 reveals a deceptively simple but important weakness: the go env command prints a shell-script-style representation of environment variables without adequately sanitizing their values. If that output is executed as shell code, specially crafted...

A high-severity remote-code-execution flaw in the widely used Python packaging library pypa/setuptools — tracked as CVE-2024-6345 — lets attackers turn crafted package URLs into arbitrary command execution on affected systems; the bug affects setuptools versions up to 69.1.1 and was corrected in...

A double‑free in GnuTLS’s Subject Alternative Name export logic — tracked as CVE‑2025‑32988 — can be triggered by a crafted certificate containing an otherName SAN with a malformed type‑id OID, allowing the library to free the same ASN.1 node twice (via asn1_delete_structure()), which in real...

Microsoft’s short answer — that “Azure Linux includes this open‑source library and is therefore potentially affected” — is correct as a product‑level attestation, but it is not a technical guarantee that Azure Linux is the only Microsoft product that could contain the vulnerable mt76/mt7915...

A subtle but dangerous bypass in the Go toolchain’s build logic lets attacker-controlled line directives slip unsafe compiler and linker flags into go builds — a flaw tracked as CVE-2023-39323 that can lead to arbitrary code execution during compilation and presents a material supply‑chain/CI...

The Go toolchain’s cgo LDFLAGS bug — tracked as CVE‑2023‑29404 — is a high‑severity build‑time weakness that lets a malicious module smuggle unsafe linker directives into the go command’s invocation, creating a practical path to arbitrary code execution during compilation and packaging. This is...

A subtle bug in a popular Go markdown library quietly turned into a disruptive denial-of-service vector: a malformed citation in certain parser modes can trigger an out‑of‑bounds read and crash any application that renders untrusted input with the affected code path. This vulnerability, tracked...

Microsoft’s public mapping for CVE-2024-30204 correctly calls out that Azure Linux includes the affected Emacs component and is therefore potentially affected, but that statement answers only which Microsoft product Microsoft has inventory-checked and declared as a carrier so far — it is not a...

A subtle overflow in a widely used UEFI helper — the shim bootloader’s handle_image() routine — reappeared in headlines after CVE-2022-28737 was published, and Microsoft’s short advisory that “Azure Linux includes this open‑source library and is therefore potentially affected” has prompted a...

The discovery that LLVM’s ARM backend could generate code that overwrites the Link Register (LR) without saving it to the stack — tracked as CVE‑2024‑31852 — is a sober reminder that compiler toolchains can introduce subtle, hard‑to‑detect integrity failures into otherwise secure software, and...

Big Tech’s 2026 AI spending plans are not a gentle ramp — they are a once‑in‑corporate‑history infrastructure buildout that, by most estimates, pushes annual hyperscaler capital expenditure into the low‑hundreds of billions and creates a concentrated, high‑stakes market for chips, data centers...

C.H. Robinson’s decision to fold its Navisphere platform deeper into Microsoft’s Azure stack marks a deliberate push to turn episodic shipment tracking into continuous, sensor-driven intelligence — a move that could accelerate digitization across freight, cold chain and multimodal logistics...

CISA’s latest update to the Known Exploited Vulnerabilities (KEV) Catalog adds four actively exploited CVEs — a mix of application logic flaws, an insecure development-tooling exposure, a supply‑chain compromise, and a PHP file‑inclusion bug — underscoring the breadth of attack surfaces...

When a sector’s wiring runs across continents and under oceans, a single act of geopolitics can ripple from the diplomatic backrooms to the redundant power feeds under your office floor — and the data center industry is precisely that kind of transcontinental project, fragile at the seams and...

PC shigheripments surged into the AI era: Gartner’s preliminary data shows global shipments reached 71.5 million units in Q4 2025, a 9.3% year‑over‑year increase, and totalled just over 270 million units for the full year—marking a decisive recovery for the PC market after several down years and...

The holiday quarter of 2025 delivered a shock to pundits and procurement teams alike: global PC shipments surged as the Windows 10 end‑of‑support deadline collided with tariff fears and an accelerating vendor push for AI‑capable PCs, producing a late‑year spike that is already reshaping vendor...

Japan’s Fujikura is being swept up in the AI infrastructure boom — and the company’s public statements and corporate actions make clear it’s racing to expand capacity even as customers and governments line up for fibre optic supplies that underpin the global data‑centre buildout. Background...

Carlsberg’s new “Global Brain” knowledge assistant — built with Microsoft under a Unified agreement — reached production-quality results in a matter of days, promising to collapse manual document hunts that once took supply‑chain engineers half an hour into near‑instant answers and driving a...