Vulnerabilities, breaches, supply-chain attacks, and defensive security.
Werner Koch shipped GnuPG 2.5.19 on April 24 with FIPS-203 ML-KEM, the first stable post-quantum encryption algorithm in OpenPGP. Here's what changed and what didn't.
Aikido found a stage-2 Go binary inside two health-check-themed packages that runs an OpenAI-compatible router routing Claude, GPT, and Gemini traffic through Chinese aggregators.
A malicious @bitwarden/cli@2026.4.0 hit npm on April 22. The payload steals npm tokens, cloud secrets, and Claude Code credentials, then self-replicates.
CVE-2026-40372 lets attackers forge auth cookies on .NET 10.0.6 apps on Linux and macOS. The fix is 10.0.7. Here's what broke, who's exposed, and how to patch.
GHSA-xq3m-2v4x-88gg hits protobuf.js ≤8.0.0 / ≤7.5.4. Attacker-controlled schemas executed arbitrary JS on decode. One-line fix patched it.
IEEE S&P 2026 papers extend GPUHammer with GeForge, GDDRHammer, and GPUBreach. They flip GDDR6 bits to break out of the GPU and own the host.
A Context.ai compromise let attackers take over a Vercel employee's Google Workspace. Non-sensitive env vars were exposed, and a ShinyHunters persona is asking $2M.
Attackers force-pushed 75 of 76 trivy-action tags to a malicious commit. Pinning by tag turned a trusted scanner into an infostealer for CI pipelines.