supply-chain

36 pieces of writing

PCPJack, polyfill CDN and Bright Data SDK show supply chain attacks moving into runtime weaponisation

Supply chain compromise is shifting from static package poisoning towards runtime weaponisation, where trusted code becomes a credential harvester, traffic broker or covert infrastructure node after deployment.

11 June 2026

security13 min read

MCP OAuth token persistence turns AI orchestration into a supply-chain trust boundary

28 May 2026

security13 min read

May 2026 developer-tooling compromises: VS Code extensions, PyPI packages and GitHub Actions turned workstations into supply-chain targets

26 May 2026

security11 min read

GitHub Actions OIDC and TanStack show why 2026 supply chain attacks target release authority

Supply chain compromise has shifted from stealing credentials to poisoning package ecosystems through compromised CI/CD systems, maintainer accounts and trusted execution paths.

19 May 2026

security14 min read

Checkmarx KICS, npm Bitwarden CLI and GlassWorm show developer trust is the supply chain target

29 April 2026

security10 min read

Vercel breached through a compromised Context.ai OAuth grant

20 April 2026

security9 min read

From tj-actions to LiteLLM to MCP: supply chain compromise now operates at infrastructure scale

Eighteen months of supply chain attacks against AI infrastructure reveal a structural pattern: the build pipeline, the package registry and the runtime protocol all share the same trust model failure.

17 April 2026

security10 min read

Anthropic shipped its entire source code to npm and the internet kept it forever

31 March 2026

security12 min read

Environment variables are the new command line: how AI agents keep leaking secrets through configuration files

28 March 2026

security9 min read

TeamPCP compromised the AI proxy that holds everyone's API keys

LiteLLM, the universal LLM proxy with 95 million monthly downloads, was backdoored on PyPI for 46 minutes. It was enough.

25 March 2026

security12 min read

Git tags, package registries and extension marketplaces share the same broken authentication model

24 March 2026

security7 min read

Hermes Agent's worktree feature copied arbitrary files from your filesystem

19 March 2026

security12 min read

MCP gave AI tools a standard interface. Researchers found it was also an attack surface.

MCP promised to be the USB-C port for AI. Researchers found it was more like an unlocked door with a welcome mat for attackers.

10 February 2026

security8 min read

UNC5221 stole F5 source code and its customer list

20 October 2025

security7 min read

Basic ransomware hit one airport software vendor and grounded five European airports overnight

25 September 2025

Weekly digests

supply-chain

PCPJack, polyfill CDN and Bright Data SDK show supply chain attacks moving into runtime weaponisation

MCP OAuth token persistence turns AI orchestration into a supply-chain trust boundary

May 2026 developer-tooling compromises: VS Code extensions, PyPI packages and GitHub Actions turned workstations into supply-chain targets

GitHub Actions OIDC and TanStack show why 2026 supply chain attacks target release authority

Checkmarx KICS, npm Bitwarden CLI and GlassWorm show developer trust is the supply chain target

Vercel breached through a compromised Context.ai OAuth grant

From tj-actions to LiteLLM to MCP: supply chain compromise now operates at infrastructure scale

Anthropic shipped its entire source code to npm and the internet kept it forever

Environment variables are the new command line: how AI agents keep leaking secrets through configuration files

TeamPCP compromised the AI proxy that holds everyone's API keys

Git tags, package registries and extension marketplaces share the same broken authentication model

Hermes Agent's worktree feature copied arbitrary files from your filesystem

MCP gave AI tools a standard interface. Researchers found it was also an attack surface.

UNC5221 stole F5 source code and its customer list

Basic ransomware hit one airport software vendor and grounded five European airports overnight

Weekly threat intelligence digest — 2026-W23

Weekly threat intelligence digest — 2026-W21

Weekly threat intelligence digest — 2026-W20

Weekly threat intelligence digest — 2026-W19

Weekly threat intelligence digest — 2026-W17

Weekly threat intelligence digest — 2026-W16

Weekly threat intelligence digest — 2026-W15

Weekly threat intelligence digest — 2026-W14

Weekly threat intelligence digest — 2026-W13

Weekly threat intelligence digest — 2026-W12

Weekly threat intelligence digest — 2026-W11

Weekly threat intelligence digest — 2026-W10

Weekly threat intelligence digest — 2026-W09

Weekly threat intelligence digest — 2025-W34

Weekly threat intelligence digest — 2025-W18

Weekly threat intelligence digest — 2025-W17

Weekly threat intelligence digest — 2025-W16

Weekly threat intelligence digest — 2025-W11

Weekly threat intelligence digest — 2025-W04

Weekly threat intelligence digest — 2025-W03