supply-chain
Browse all articles, tutorials, and guides about supply-chain
Posts
The US Government Pulled Two Frontier Models Overnight. The Real Lesson Is About Your Stack
On June 12, 2026, an export-control directive forced Anthropic to disable Claude Fable 5 and Mythos 5 for every user worldwide, three days after launch. The policy fight is interesting. The operational lesson for anyone building on a single model provider is more urgent.
npm v12 Will Stop Running Install Scripts. We Audited Our Repos to See What Actually Breaks
Starting with npm v12 (estimated July 2026), dependency install scripts will not run unless you allowlist them. We ran the new audit tooling on our own production repos: 65 packages flagged, 4 that matter, and a surprising amount of nothing breaking.
Mini Shai-Hulud: PyTorch Lightning Just Stole Your CI Secrets
On April 30 a supply chain worm pushed malicious versions of PyTorch Lightning (10M+ downloads/month), intercom-client, and intercom-php to PyPI, npm, and Packagist in 48 hours. It steals every credential in your CI and propagates through your own GitHub tokens. Here is what to check and what to rotate.
CVE-2026-3854: A Single git push Owned GitHub
A semicolon in a git push option let any authenticated user run code on GitHub.com's backend and on 88% of self-hosted GitHub Enterprise installs. Here is how the bug worked and what to do.
The MCP Design Flaw That Exposes 150M Downloads to RCE
Researchers at OX Security disclosed an architectural vulnerability in Anthropic MCP that enables remote code execution across Python, TypeScript, Java, and Rust SDKs. Anthropic calls it "by design." Here is how the flaw works, which tools are affected, and what to do if you use Cursor, Claude Code, LangChain, or anything with an MCP server.
The Vercel April 2026 Security Incident: What Happened and What to Do About It
Vercel disclosed a security incident that started with a compromised OAuth app at Context.ai, escalated through a Vercel employee Google Workspace account, and reached internal systems plus customer environment variables not marked sensitive. Here is the attack chain, what was exposed, and what to change in your deployments.
Two Composer Command Injection Flaws Let Attackers Run Arbitrary Code - Even Without Perforce
CVE-2026-40176 and CVE-2026-40261 affect all Composer 2.x versions. A malicious composer.json or crafted package metadata can execute OS commands on your machine. Upgrade to 2.9.6 now.
The Axios Supply Chain Attack: What DevOps Teams Need to Know
A compromised npm maintainer account led to malicious axios versions deploying a RAT across macOS, Windows, and Linux. Here is what happened, how to check if you are affected, and how to prevent this in your pipeline.
CI/CD Pipeline Hardening: A Practical Guide to Securing Your Build Infrastructure
Your CI/CD pipeline has access to source code, secrets, and production environments. Here is how to harden it against supply chain attacks, secret exfiltration, and artifact tampering.