PyTorch Supply Chain Attack: Dev Guardrails Open-source registries remain hot targets. In September 2025, PyPI disclosed an attack campaign abusing GitHub Actions to exfiltrate PyPI tokens, and researchers flagged fresh malicious PyPI packages—reminders that ML stacks (including PyTorch projects) are squarely in scope. Lock everything with hashes, gate installs through a curated mirror, fail builds […]
CVE-2025-10585: Chrome Zero-Day Patch & Guardrails What Google shipped—and why this RCE matters (confirm SBOM impact) Google’s stable channel shipped 140.0.7339.185/.186 on Sep 17, 2025, addressing four bugs—most urgently CVE-2025-10585, a V8 type-confusion vulnerability exploited in the wild. Type confusion enables memory corruption → potential arbitrary code execution via crafted JS/Wasm, so treat this as
Git CVE-2025-48384: Safe Submodules in Practice This post is for engineers who live in Git: devs, SREs, CI owners. You’ll get the exact patched Git versions, how to check and enforce them across laptops and pipelines, plus guardrails to stop dangerous submodules from ever running code in your builds. TL;DR Explainer: CR/LF parsing → arbitrary