Vulnerability & Threat Response

npm supply chain attack 2025: ‘Shai-Hulud’ CI fixes

npm supply chain attack 2025: ‘Shai-Hulud’ CI fixes

Leave a Comment / Vulnerability & Threat Response /

npm supply chain attack 2025: ‘Shai-Hulud’ CI fixes Developers are on the front line of the npm supply chain attack 2025 (the “Shai-Hulud” worm) that targets CI secrets and account tokens. This developer-first incident-response playbook shows exactly how to contain it in hours—not weeks—by enforcing trusted publishing, granular tokens, provenance checks, and safe build defaults […]

npm supply chain attack 2025: ‘Shai-Hulud’ CI fixes Read More »

Gate CI with CISA KEV JSON: Ship Safer Builds

Leave a Comment / KEV, Vulnerability & Threat Response /

Gate CI with CISA KEV JSON: Ship Safer Builds If you’re already generating SBOMs, you’re a 10-minute script away from turning CISA KEV JSON into a hard gate in CI/CD. The latest KEV additions—like the Chrome V8 type confusion vulnerability (CVE-2025-10585)—show how fast browser/JS engines move. Your pipeline should block risky versions on sight, not

Gate CI with CISA KEV JSON: Ship Safer Builds Read More »

Chrome V8 KEV: CVE-2025-10585 Deep Dive

Chrome V8 KEV: CVE-2025-10585 Deep Dive

1 Comment / CVE, Vulnerability & Threat Response /

Chrome V8 KEV: CVE-2025-10585 Deep Dive TL;DR (for engineering leaders) What CVE-2025-10585 is—and why it’s in KEV Impact paths to review Mitigation steps (patch, backport, harden) 1) Patch to fixed versions 2) Consider temporary hardening (risk-based) Electron example (main process): (Use only where user experience permits; track crashes/telemetry.) Screenshot of our Free Website Vulnerability Scanner

Chrome V8 KEV: CVE-2025-10585 Deep Dive Read More »

PyTorch Supply Chain Attack: Dev Guardrails

PyTorch Supply Chain Attack: Dev Guardrails

Leave a Comment / Vulnerability & Threat Response /

PyTorch Supply Chain Attack: Dev Guardrails Open-source registries remain hot targets. In September 2025, PyPI disclosed an attack campaign abusing GitHub Actions to exfiltrate PyPI tokens, and researchers flagged fresh malicious PyPI packages—reminders that ML stacks (including PyTorch projects) are squarely in scope. Lock everything with hashes, gate installs through a curated mirror, fail builds

PyTorch Supply Chain Attack: Dev Guardrails Read More »

CVE-2025-10585: Chrome Zero-Day Patch & Guardrails

Chrome 10585 Zero-Day: Patch & Guardrails

Leave a Comment / CVE, Vulnerability & Threat Response /

CVE-2025-10585: Chrome Zero-Day Patch & Guardrails What Google shipped—and why this RCE matters (confirm SBOM impact) Google’s stable channel shipped 140.0.7339.185/.186 on Sep 17, 2025, addressing four bugs—most urgently CVE-2025-10585, a V8 type-confusion vulnerability exploited in the wild. Type confusion enables memory corruption → potential arbitrary code execution via crafted JS/Wasm, so treat this as

Chrome 10585 Zero-Day: Patch & Guardrails Read More »

Git CVE-2025-48384: Safe Submodules in Practice

Git CVE-2025-48384: Safe Submodules in Practice

Leave a Comment / CVE, Vulnerability & Threat Response /

Git CVE-2025-48384: Safe Submodules in Practice This post is for engineers who live in Git: devs, SREs, CI owners. You’ll get the exact patched Git versions, how to check and enforce them across laptops and pipelines, plus guardrails to stop dangerous submodules from ever running code in your builds. TL;DR Explainer: CR/LF parsing → arbitrary

Git CVE-2025-48384: Safe Submodules in Practice Read More »