supply-chain
Browse all articles, tutorials, and guides about supply-chain
Posts
CVE-2026-3854: A Single git push Owned GitHub
A semicolon in a git push option let any authenticated user run code on GitHub.com's backend and on 88% of self-hosted GitHub Enterprise installs. Here is how the bug worked and what to do.
The MCP Design Flaw That Exposes 150M Downloads to RCE
Researchers at OX Security disclosed an architectural vulnerability in Anthropic MCP that enables remote code execution across Python, TypeScript, Java, and Rust SDKs. Anthropic calls it "by design." Here is how the flaw works, which tools are affected, and what to do if you use Cursor, Claude Code, LangChain, or anything with an MCP server.
The Vercel April 2026 Security Incident: What Happened and What to Do About It
Vercel disclosed a security incident that started with a compromised OAuth app at Context.ai, escalated through a Vercel employee Google Workspace account, and reached internal systems plus customer environment variables not marked sensitive. Here is the attack chain, what was exposed, and what to change in your deployments.
Two Composer Command Injection Flaws Let Attackers Run Arbitrary Code - Even Without Perforce
CVE-2026-40176 and CVE-2026-40261 affect all Composer 2.x versions. A malicious composer.json or crafted package metadata can execute OS commands on your machine. Upgrade to 2.9.6 now.
The Axios Supply Chain Attack: What DevOps Teams Need to Know
A compromised npm maintainer account led to malicious axios versions deploying a RAT across macOS, Windows, and Linux. Here is what happened, how to check if you are affected, and how to prevent this in your pipeline.
CI/CD Pipeline Hardening: A Practical Guide to Securing Your Build Infrastructure
Your CI/CD pipeline has access to source code, secrets, and production environments. Here is how to harden it against supply chain attacks, secret exfiltration, and artifact tampering.