Articles tagged supply-chain on devtake.dev.https://devtake.dev/en-ushttps://devtake.dev/article/electric-motors-no-rare-earths/https://devtake.dev/article/electric-motors-no-rare-earths/A Renault explainer on rare-earth-free EV motors hit Hacker News. Here's how electric cars run without the magnets China controls, and who's shipping them.Sat, 13 Jun 2026 13:45:00 GMThardwareevhardwarechinasupply-chainsustainabilityhiro-tanakahttps://devtake.dev/article/npm-registry-supply-chain-wave/https://devtake.dev/article/npm-registry-supply-chain-wave/A worm hijacked Red Hat's npm namespace, a rootkit spread through 1,500 Arch AUR packages, and a SOC 2-certified AI gateway shipped malware. Registries are under fire.Sat, 13 Jun 2026 12:45:00 GMTsecuritysecuritysupply-chainnpmopen-sourcemalwareluca-reinhardthttps://devtake.dev/article/ai-agents-package-rce-vulnerability/https://devtake.dev/article/ai-agents-package-rce-vulnerability/A flaw in Starlette, downloaded 325M times a week, let a single Host-header character bypass path-based auth across FastAPI, vLLM, and MCP servers.Mon, 08 Jun 2026 10:00:00 GMTsecuritysecuritysupply-chainai-agentsmcpcve-2026-48710pythonfastapiluca-reinhardthttps://devtake.dev/article/vscode-zero-day-github-token-theft/https://devtake.dev/article/vscode-zero-day-github-token-theft/A disclosed VS Code zero-day lets one click on a malicious github.dev notebook steal a GitHub OAuth token with full read-write access to every private repo.Wed, 03 Jun 2026 13:15:00 GMTsecuritysecuritygithubcredential-theftdev-toolsrcesupply-chainoauthluca-reinhardthttps://devtake.dev/article/ssd-activity-browser-side-channel/https://devtake.dev/article/ssd-activity-browser-side-channel/Graz researchers built FROST, a browser side-channel that times SSD activity to guess which sites and apps you're running. Here's how it works and what helps.Wed, 03 Jun 2026 11:30:00 GMTwebprivacysecuritywebbrowser-securityfingerprintingside-channelsupply-chainnaomi-parkhttps://devtake.dev/article/minecraft-weedhack-malware/https://devtake.dev/article/minecraft-weedhack-malware/McAfee says a free malware-as-a-service stealer called WeedHack has hit 116,000+ Minecraft systems via fake mods and cheats. Here's what it grabs and how to clean up.Wed, 03 Jun 2026 11:00:00 GMTgaminggamingminecraftmalwaresecuritycredential-theftinfostealersupply-chainhiro-tanakahttps://devtake.dev/article/github-bans-researcher-windows-zero-day/https://devtake.dev/article/github-bans-researcher-windows-zero-day/GitHub wiped Nightmare-Eclipse's account on May 23 after weeks of unpatched Windows exploits. The ban reopened the oldest fight in security: who decides what research gets hosted?Fri, 29 May 2026 06:50:00 GMTsecuritysecuritygithubvulnerability-disclosurezero-daymicrosoftwindowssupply-chainrceluca-reinhardthttps://devtake.dev/article/anthropic-glasswing-deception-monitor/https://devtake.dev/article/anthropic-glasswing-deception-monitor/Anthropic says Project Glasswing's first month produced over 10,000 critical-and-high-severity vulns. Verification and patching is the limiting step.Sat, 23 May 2026 09:45:00 GMTaianthropicclaude-mythosproject-glasswingsecurityai-securitysupply-chainvulnerability-disclosuredieter-morellihttps://devtake.dev/article/github-internal-repos-breach-vscode-extension/https://devtake.dev/article/github-internal-repos-breach-vscode-extension/GitHub detected the intrusion on May 18 after a malicious VS Code extension compromised an employee's device. The attacker claims to have exfiltrated 3,800 internal repositories.Fri, 22 May 2026 10:15:00 GMTsecuritysecuritygithubvscodesupply-chaincredential-theftdev-toolsluca-reinhardthttps://devtake.dev/article/cisa-aws-govcloud-keys-github-leak/https://devtake.dev/article/cisa-aws-govcloud-keys-github-leak/GitGuardian found a public CISA repo with 844 MB of secrets, including AWS GovCloud admin keys. The repo sat open for six months.Thu, 21 May 2026 11:15:00 GMTsecuritysecuritycisagithubsupply-chaincredential-theftawsgitguardiangovcloudluca-reinhardthttps://devtake.dev/article/claude-code-rce-deeplink-cve/https://devtake.dev/article/claude-code-rce-deeplink-cve/Joernchen of 0day.click found a deeplink RCE in Claude Code. Anthropic shipped the fix in 2.1.118 the same week.Wed, 20 May 2026 09:15:00 GMTsecuritysecurityanthropicclaude-coderceai-securitysupply-chainai-agentsdev-toolsluca-reinhardthttps://devtake.dev/article/akhter-twins-opexus-database-deletion/https://devtake.dev/article/akhter-twins-opexus-database-deletion/A federal jury convicted Sohaib Akhter on May 7 of wiping 96 government databases at Opexus. His twin Muneeb queried an AI: 'how do I clear system logs from SQL servers.'Fri, 15 May 2026 09:00:00 GMTsecuritysecurityinsider-threatopexuseeoccredential-theftfoiapolicysupply-chainluca-reinhardthttps://devtake.dev/article/tanstack-npm-supply-chain-postmortem/https://devtake.dev/article/tanstack-npm-supply-chain-postmortem/Attackers compromised 42 TanStack packages through a pull_request_target exploit, cache poisoning, and OIDC token theft. An external researcher caught it in 20 minutes.Tue, 12 May 2026 10:15:00 GMTsecuritysecuritysupply-chainnpmtanstackgithub-actionscredential-theftdev-toolsluca-reinhardthttps://devtake.dev/article/chinese-grey-market-claude-api-stolen-credentials/https://devtake.dev/article/chinese-grey-market-claude-api-stolen-credentials/A ChinaTalk investigation reveals how 'transfer stations' resell Anthropic API access using stolen credentials, model substitution, and prompt harvesting.Sun, 10 May 2026 09:30:00 GMTaianthropicclaudeai-securitycredential-theftchinasupply-chainai-modelsdieter-morellihttps://devtake.dev/article/vibe-coded-apps-expose-corporate-data/https://devtake.dev/article/vibe-coded-apps-expose-corporate-data/RedAccess found that AI coding tools like Lovable, Base44, and Replit default to public hosting, leaving medical records, bank internals, and corporate secrets indexed by Google.Sat, 09 May 2026 08:00:00 GMTsecuritysecurityai-securityai-agentsdev-toolssupply-chainprivacycredential-theftluca-reinhardthttps://devtake.dev/article/instructure-canvas-breach-shinyhunters-275m/https://devtake.dev/article/instructure-canvas-breach-shinyhunters-275m/ShinyHunters breached Canvas LMS again, claiming 275 million records from 9,000 schools. Names, emails, student IDs, and private messages exposed.Fri, 08 May 2026 09:00:00 GMTsecuritysecuritydata-breachinstructurecanvasshinyhunterseducationsupply-chaincredential-theftluca-reinhardthttps://devtake.dev/article/daemon-tools-supply-chain-backdoor/https://devtake.dev/article/daemon-tools-supply-chain-backdoor/Kaspersky pinned a supply-chain attack on the DAEMON Tools installer dating to April 8. Thousands hit globally, dozens upgraded to a QUIC RAT implant via signed binaries.Wed, 06 May 2026 10:15:00 GMTsecuritysecuritysupply-chaindaemon-toolsmalwarekasperskyquic-ratcode-signingwindowsluca-reinhardthttps://devtake.dev/article/fcc-chinese-labs-electronics-certification-ban/https://devtake.dev/article/fcc-chinese-labs-electronics-certification-ban/Brendan Carr's FCC advanced the 'Bad Labs' rule on April 30 in a 3-0 vote, kicking off a 60-90 day comment period. The rule covers 126 labs in China and Hong Kong.Sun, 03 May 2026 13:30:00 GMTpolicyfccchinaregulationnational-securitysupply-chainelectronicsbrendan-carrhardwareclara-wexlerhttps://devtake.dev/article/ubuntu-canonical-313-team-ddos-copyfail/https://devtake.dev/article/ubuntu-canonical-313-team-ddos-copyfail/The 313 Team flooded Canonical's infrastructure starting May 1, blocking apt updates and the Ubuntu security API just as admins needed both.Sat, 02 May 2026 09:30:00 GMTsecurityubuntucanonicalddoscopy-failsecuritysupply-chainlinuxluca-reinhardthttps://devtake.dev/article/pytorch-lightning-pypi-compromise-mini-shai-hulud/https://devtake.dev/article/pytorch-lightning-pypi-compromise-mini-shai-hulud/Two malicious lightning releases hit PyPI on April 30. The 42-minute window was enough to ship an RSA-encrypted infostealer to ML developers worldwide.Sat, 02 May 2026 09:00:00 GMTsecuritypytorch-lightningpypisupply-chainmini-shai-huludcredential-theftpythonmlsecurityluca-reinhardthttps://devtake.dev/article/cpanel-whm-auth-bypass-cve-2026-41940/https://devtake.dev/article/cpanel-whm-auth-bypass-cve-2026-41940/cPanel shipped fixes April 28 for a CVSS 9.8 auth bypass that walks attackers into shared-hosting panels with no password. WatchTowr says exploitation started before the patch.Fri, 01 May 2026 11:25:00 GMTsecuritysecuritycpanelweb-hostingcve-2026-41940auth-bypasswatchtowrcredential-theftsupply-chainluca-reinhardthttps://devtake.dev/article/copy-fail-linux-kernel-page-cache-root/https://devtake.dev/article/copy-fail-linux-kernel-page-cache-root/CVE-2026-31431 chains AF_ALG and splice() to write into the page cache of /usr/bin/su. Xint Code disclosed it on April 29, nine years after the bug shipped.Thu, 30 Apr 2026 09:15:00 GMTsecuritysecuritylinuxcve-2026-31431kernelprivilege-escalationsupply-chainubunturhelluca-reinhardthttps://devtake.dev/article/github-rce-cve-2026-3854-wiz/https://devtake.dev/article/github-rce-cve-2026-3854-wiz/CVE-2026-3854 is a CVSS 8.7 RCE in GitHub's git-push pipeline. github.com fixed it within hours. 88% of Enterprise Server installs were still vulnerable at disclosure.Wed, 29 Apr 2026 09:05:00 GMTsecuritygithubsecuritycve-2026-3854rcesupply-chainwizgithub-actionsdev-toolsluca-reinhardthttps://devtake.dev/article/canisterworm-namastex-npm-pypi-supply-chain/https://devtake.dev/article/canisterworm-namastex-npm-pypi-supply-chain/Socket flagged a self-propagating worm in @automagik/genie, pgserve, and 14 sibling Namastex Labs packages. It steals 40 credential categories and republishes itself.Tue, 28 Apr 2026 16:30:00 GMTsecuritynpmsupply-chaincanisterwormsecuritynamastexteampcppypicredential-theftluca-reinhardthttps://devtake.dev/article/sglang-cve-2026-5760-gguf-rce/https://devtake.dev/article/sglang-cve-2026-5760-gguf-rce/SGLang's reranker renders chat templates without a sandbox. Load a hostile GGUF, hit /v1/rerank, and the attacker has Python on your inference box. No patch yet.Mon, 27 Apr 2026 11:30:00 GMTsecuritysglangcve-2026-5760supply-chainai-securityllmrcejinja2ggufluca-reinhardthttps://devtake.dev/article/anthropic-mythos-breach-discord/https://devtake.dev/article/anthropic-mythos-breach-discord/Bloomberg reports a small group accessed Anthropic's locked-down Mythos model the same day it launched, using credentials from a third-party contractor and educated URL guessing.Sat, 25 Apr 2026 11:00:00 GMTaianthropicclaude-mythosai-securitysupply-chainproject-glasswingmercorsecuritydieter-morellihttps://devtake.dev/article/gpt-proxy-npm-supply-chain/https://devtake.dev/article/gpt-proxy-npm-supply-chain/Aikido found a stage-2 Go binary inside two health-check-themed packages that runs an OpenAI-compatible router routing Claude, GPT, and Gemini traffic through Chinese aggregators.Sat, 25 Apr 2026 07:30:00 GMTsecuritysupply-chainnpmpypiai-securitymalwarellmchinacredential-theftluca-reinhardthttps://devtake.dev/article/bitwarden-cli-shai-hulud-npm-worm/https://devtake.dev/article/bitwarden-cli-shai-hulud-npm-worm/A malicious @bitwarden/cli@2026.4.0 hit npm on April 22. The payload steals npm tokens, cloud secrets, and Claude Code credentials, then self-replicates.Thu, 23 Apr 2026 19:00:00 GMTsecuritybitwardenshai-huludnpmsupply-chainwormcredential-theftcheckmarxcicdluca-reinhardthttps://devtake.dev/article/microsoft-aspnet-emergency-patch/https://devtake.dev/article/microsoft-aspnet-emergency-patch/CVE-2026-40372 lets attackers forge auth cookies on .NET 10.0.6 apps on Linux and macOS. The fix is 10.0.7. Here's what broke, who's exposed, and how to patch.Thu, 23 Apr 2026 09:30:00 GMTsecuritymicrosoftaspnetdotnetcve-2026-40372data-protectionout-of-band-patchsupply-chainluca-reinhardthttps://devtake.dev/article/protobuf-javascript-rce-cve/https://devtake.dev/article/protobuf-javascript-rce-cve/GHSA-xq3m-2v4x-88gg hits protobuf.js ≤8.0.0 / ≤7.5.4. Attacker-controlled schemas executed arbitrary JS on decode. One-line fix patched it.Tue, 21 Apr 2026 12:00:00 GMTsecuritynpmprotobufjavascriptsupply-chainrceendor-labsgrpcluca-reinhardthttps://devtake.dev/article/github-fake-star-economy/https://devtake.dev/article/github-fake-star-economy/A Carnegie Mellon study counted 6 million suspected fake stars across 18,617 GitHub repos. Here's what the StarScout research actually found and how to read a star count now.Mon, 20 Apr 2026 16:00:00 GMTopen-sourcegithubfake-starsstarscoutopen-sourcesoftware-researchicse-2026supply-chainai-repossoren-vanekhttps://devtake.dev/article/vercel-breach-april-2026/https://devtake.dev/article/vercel-breach-april-2026/A Context.ai compromise let attackers take over a Vercel employee's Google Workspace. Non-sensitive env vars were exposed, and a ShinyHunters persona is asking $2M.Mon, 20 Apr 2026 09:00:00 GMTsecurityverceldata-breachoauthsupply-chaincontext-aishinyhuntersgoogle-workspaceluca-reinhardthttps://devtake.dev/article/trivy-supply-chain-attack-compromise/https://devtake.dev/article/trivy-supply-chain-attack-compromise/Attackers force-pushed 75 of 76 trivy-action tags to a malicious commit. Pinning by tag turned a trusted scanner into an infostealer for CI pipelines.Sat, 18 Apr 2026 08:30:00 GMTsecuritysupply-chaintrivyaqua-securitygithub-actionscicddevsecopsteampcpluca-reinhardt