The Security Scanner That Tried to Steal Your Secrets
Trivy got popped, then KICS got popped, and the lesson is that version tags are not a security boundary.
#supply-chain
8 transmissions tagged #supply-chain
Your AI Gateway Got Owned: The LiteLLM PyPI Compromise Is a Supply Chain Story Worth Studying
A malicious version of LiteLLM sat on PyPI for days, stealing credentials from thousands of AI shops. The attack itself is boring. The failure modes that enabled it are not.
LiteLLM Got Owned: A Masterclass in Supply Chain Horror
LiteLLM 1.82.8 shipped with a credential-stealing .pth file that fires the moment Python starts. No import needed. Your secrets are already gone.
Your Next GPU Needs This Noble Gas (And Iran Just Blew Up 30% of It)
Iranian drone strikes on Qatar's Ras Laffan knocked out a third of global helium supply. Your chips run on the stuff. Two weeks of inventory remain.
git clone && Enjoy Your New Backdoor: The Claude Code Vulnerability Trilogy
Check Point found three ways a malicious repo could own your machine through Claude Code — RCE, MCP abuse, and silent API key theft. All patched, all embarrassing.
The Assassin in the Tarball: An Open-Source Tragedy in Three Acts
A suspicious CPU spike, a poisoned release, and a community that caught the blade mid-swing.
Six Months of Chrysalis: How Chinese State Hackers Turned Notepad++ Into a Spy Tool
Lotus Blossom hijacked Notepad++'s update infrastructure for half a year and nobody noticed until a bug fix quietly mentioned 'updater hardening.'
The Polite Emails Before the Knife: XZ and the Tragedy of Trust
A two-year courtship, a backdoor in the wings, and one engineer who heard the orchestra go wrong.